summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2018-02-19 18:17:21 +0100
committerYves-Alexis Perez <corsac@corsac.net>2018-02-20 11:09:03 +0100
commit94218f4dc079e5fcf76b3468b9e40072181246f2 (patch)
tree05db24c85038c8ab49a30c98bd93dc7ff126390b /src
parentfd2deca589bc3d067f1cbfe59a25d3a90625e02b (diff)
downloadvyos-strongswan-94218f4dc079e5fcf76b3468b9e40072181246f2.tar.gz
vyos-strongswan-94218f4dc079e5fcf76b3468b9e40072181246f2.zip
New upstream version 5.6.2
Diffstat (limited to 'src')
-rw-r--r--src/Makefile.am4
-rw-r--r--src/Makefile.in7
-rw-r--r--src/charon-cmd/cmd/cmd_options.h2
-rw-r--r--src/charon-nm/nm/nm_backend.c2
-rw-r--r--src/charon-nm/nm/nm_service.c124
-rw-r--r--src/charon-nm/nm/nm_service.h6
-rw-r--r--src/charon-tkm/src/ees/esa_event_service.adb7
-rw-r--r--src/charon-tkm/src/tkm/tkm_diffie_hellman.c2
-rw-r--r--src/charon-tkm/src/tkm/tkm_keymat.c2
-rw-r--r--src/charon-tkm/src/tkm/tkm_listener.c2
-rw-r--r--src/charon-tkm/src/tkm/tkm_nonceg.c2
-rw-r--r--src/charon-tkm/tests/keymat_tests.c2
-rw-r--r--src/conftest/hooks/custom_proposal.c2
-rw-r--r--src/dumm/guest.h2
-rw-r--r--src/ipsec/_ipsec.82
-rw-r--r--src/libcharon/Android.mk1
-rw-r--r--src/libcharon/Makefile.am8
-rw-r--r--src/libcharon/Makefile.in388
-rw-r--r--src/libcharon/config/child_cfg.c8
-rw-r--r--src/libcharon/config/child_cfg.h2
-rw-r--r--src/libcharon/config/ike_cfg.h4
-rw-r--r--src/libcharon/config/peer_cfg.h2
-rw-r--r--src/libcharon/daemon.c6
-rw-r--r--src/libcharon/encoding/generator.h4
-rw-r--r--src/libcharon/encoding/message.c4
-rw-r--r--src/libcharon/encoding/payloads/proposal_substructure.h2
-rw-r--r--src/libcharon/encoding/payloads/transform_substructure.h2
-rw-r--r--src/libcharon/kernel/kernel_interface.c2
-rw-r--r--src/libcharon/plugins/certexpire/certexpire_cron.h2
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.c2
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_xauth.c2
-rw-r--r--src/libcharon/plugins/ha/ha_ike.c2
-rw-r--r--src/libcharon/plugins/ha/ha_socket.c27
-rw-r--r--src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c75
-rw-r--r--src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c12
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c2
-rw-r--r--src/libcharon/plugins/lookip/lookip_plugin.c2
-rw-r--r--src/libcharon/plugins/osx_attr/osx_attr_handler.c2
-rw-r--r--src/libcharon/plugins/save_keys/Makefile.am18
-rw-r--r--src/libcharon/plugins/save_keys/Makefile.in803
-rw-r--r--src/libcharon/plugins/save_keys/save_keys_listener.c435
-rw-r--r--src/libcharon/plugins/save_keys/save_keys_listener.h57
-rw-r--r--src/libcharon/plugins/save_keys/save_keys_plugin.c107
-rw-r--r--src/libcharon/plugins/save_keys/save_keys_plugin.h50
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c2
-rw-r--r--src/libcharon/plugins/stroke/stroke_cred.c18
-rw-r--r--src/libcharon/plugins/stroke/stroke_list.c2
-rw-r--r--src/libcharon/plugins/uci/uci_parser.c2
-rw-r--r--src/libcharon/plugins/vici/README.md8
-rw-r--r--src/libcharon/plugins/vici/libvici.h2
-rw-r--r--src/libcharon/plugins/vici/ruby/Makefile.in2
-rw-r--r--src/libcharon/plugins/vici/vici_cred.c2
-rw-r--r--src/libcharon/plugins/vici/vici_query.c19
-rw-r--r--src/libcharon/processing/jobs/delete_child_sa_job.h2
-rw-r--r--src/libcharon/processing/jobs/rekey_child_sa_job.h3
-rw-r--r--src/libcharon/processing/jobs/update_sa_job.h2
-rw-r--r--src/libcharon/sa/child_sa.c241
-rw-r--r--src/libcharon/sa/child_sa.h6
-rw-r--r--src/libcharon/sa/eap/eap_manager.h2
-rw-r--r--src/libcharon/sa/eap/eap_method.h2
-rw-r--r--src/libcharon/sa/ike_sa.c30
-rw-r--r--src/libcharon/sa/ike_sa.h18
-rw-r--r--src/libcharon/sa/ikev1/phase1.c44
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c2
-rw-r--r--src/libcharon/sa/ikev2/task_manager_v2.c102
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.c35
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.h12
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_rekey.c12
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.c71
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.c71
-rw-r--r--src/libcharon/sa/keymat.h2
-rw-r--r--src/libcharon/sa/task_manager.h2
-rw-r--r--src/libcharon/sa/xauth/xauth_manager.h2
-rw-r--r--src/libcharon/sa/xauth/xauth_method.h2
-rw-r--r--src/libcharon/tests/Makefile.am1
-rw-r--r--src/libcharon/tests/Makefile.in19
-rw-r--r--src/libcharon/tests/libcharon_tests.h1
-rw-r--r--src/libcharon/tests/suites/test_child_rekey.c55
-rw-r--r--src/libcharon/tests/suites/test_ike_rekey.c6
-rw-r--r--src/libimcv/plugins/imc_os/imc_os.c31
-rw-r--r--src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-2.swidtag (renamed from src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag)4
-rw-r--r--src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-2.swidtag (renamed from src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag)4
-rw-r--r--src/libimcv/pts/pts_database.h2
-rw-r--r--src/libimcv/pts/pts_pcr.h2
-rw-r--r--src/libpttls/pt_tls.h2
-rw-r--r--src/libpttls/pt_tls_server.c2
-rw-r--r--src/libradius/radius_client.h2
-rw-r--r--src/libradius/radius_message.h2
-rw-r--r--src/libradius/radius_socket.c9
-rw-r--r--src/libsimaka/simaka_manager.h2
-rw-r--r--src/libsimaka/simaka_message.c2
-rw-r--r--src/libstrongswan/Android.mk2
-rw-r--r--src/libstrongswan/Makefile.am4
-rw-r--r--src/libstrongswan/Makefile.in13
-rw-r--r--src/libstrongswan/asn1/oid.c415
-rw-r--r--src/libstrongswan/asn1/oid.h208
-rw-r--r--src/libstrongswan/asn1/oid.txt1
-rw-r--r--src/libstrongswan/collections/linked_list.h2
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c10
-rw-r--r--src/libstrongswan/credentials/cred_encoding.c2
-rw-r--r--src/libstrongswan/credentials/keys/signature_params.c6
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c2
-rw-r--r--src/libstrongswan/crypto/proposal/proposal.c (renamed from src/libcharon/config/proposal.c)39
-rw-r--r--src/libstrongswan/crypto/proposal/proposal.h (renamed from src/libcharon/config/proposal.h)15
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.h2
-rw-r--r--src/libstrongswan/eap/eap.c2
-rw-r--r--src/libstrongswan/ipsec/ipsec_types.c7
-rw-r--r--src/libstrongswan/library.c3
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_enc.c4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_locl.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_pi.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/bf_skey.c4
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish.h4
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_crypter.c4
-rw-r--r--src/libstrongswan/plugins/des/des_crypter.c6
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c9
-rw-r--r--src/libstrongswan/plugins/newhope/newhope_ke.c2
-rw-r--r--src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c2
-rw-r--r--src/libstrongswan/plugins/plugin_loader.h2
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_validator.c5
-rw-r--r--src/libstrongswan/processing/scheduler.h6
-rw-r--r--src/libstrongswan/tests/Makefile.am1
-rw-r--r--src/libstrongswan/tests/Makefile.in19
-rw-r--r--src/libstrongswan/tests/suites/test_proposal.c (renamed from src/libcharon/tests/suites/test_proposal.c)67
-rw-r--r--src/libstrongswan/tests/suites/test_utils.c19
-rw-r--r--src/libstrongswan/tests/tests.h1
-rw-r--r--src/libstrongswan/threading/semaphore.h2
-rw-r--r--src/libstrongswan/utils/chunk.c4
-rw-r--r--src/libtls/tls_alert.c2
-rw-r--r--src/libtls/tls_crypto.c2
-rw-r--r--src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h2
-rw-r--r--src/libtpmtss/Makefile.am2
-rw-r--r--src/libtpmtss/plugins/tpm/Makefile.am1
-rw-r--r--src/libtpmtss/plugins/tpm/Makefile.in6
-rw-r--r--src/libtpmtss/plugins/tpm/tpm_cert.c97
-rw-r--r--src/libtpmtss/plugins/tpm/tpm_cert.h38
-rw-r--r--src/libtpmtss/plugins/tpm/tpm_plugin.c11
-rw-r--r--src/libtpmtss/tpm_tss.h12
-rw-r--r--src/libtpmtss/tpm_tss_trousers.c8
-rw-r--r--src/libtpmtss/tpm_tss_tss2.c209
-rw-r--r--src/pki/commands/print.c21
-rw-r--r--src/pki/man/pki---print.1.in8
-rw-r--r--src/pt-tls-client/pt-tls-client.1.in9
-rw-r--r--src/pt-tls-client/pt-tls-client.c30
-rw-r--r--src/swanctl/commands/list_conns.c50
-rw-r--r--src/swanctl/commands/load_authorities.c16
-rw-r--r--src/swanctl/commands/load_creds.c12
-rw-r--r--src/swanctl/commands/load_pools.c14
-rw-r--r--src/swanctl/swanctl.conf.5.main5
-rw-r--r--src/swanctl/swanctl.opt5
-rw-r--r--src/tpm_extendpcr/Makefile.am14
-rw-r--r--src/tpm_extendpcr/Makefile.in769
-rw-r--r--src/tpm_extendpcr/tpm_extendpcr.c317
154 files changed, 4528 insertions, 1101 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 7bef1a5dd..e2747c300 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -143,3 +143,7 @@ endif
if USE_AIKGEN
SUBDIRS += aikgen
endif
+
+if USE_TPM
+ SUBDIRS += tpm_extendpcr
+endif
diff --git a/src/Makefile.in b/src/Makefile.in
index baae1e09a..9aa3cb166 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -123,6 +123,7 @@ host_triplet = @host@
@USE_IMV_SWIMA_TRUE@am__append_34 = sec-updater
@USE_INTEGRITY_TEST_TRUE@am__append_35 = checksum
@USE_AIKGEN_TRUE@am__append_36 = aikgen
+@USE_TPM_TRUE@am__append_37 = tpm_extendpcr
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -201,7 +202,8 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
libcharon starter ipsec _copyright charon charon-systemd \
charon-nm stroke _updown scepclient pki swanctl conftest dumm \
libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
- pt-tls-client sw-collector sec-updater checksum aikgen
+ pt-tls-client sw-collector sec-updater checksum aikgen \
+ tpm_extendpcr
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
@@ -478,7 +480,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
$(am__append_25) $(am__append_26) $(am__append_27) \
$(am__append_28) $(am__append_29) $(am__append_30) \
$(am__append_31) $(am__append_32) $(am__append_33) \
- $(am__append_34) $(am__append_35) $(am__append_36)
+ $(am__append_34) $(am__append_35) $(am__append_36) \
+ $(am__append_37)
all: all-recursive
.SUFFIXES:
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
index c7441e795..aa13b0951 100644
--- a/src/charon-cmd/cmd/cmd_options.h
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -63,7 +63,7 @@ struct cmd_option_t {
const char *name;
/** takes argument */
int has_arg;
- /** decription of argument */
+ /** description of argument */
const char *arg;
/** short description to option */
const char *desc;
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index 601daca0a..e4845e745 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -55,7 +55,7 @@ struct nm_backend_t {
static nm_backend_t *nm_backend = NULL;
/**
- * NM plugin processing routine, creates and handles NMVPNPlugin
+ * NM plugin processing routine, creates and handles NMVpnServicePlugin
*/
static job_requeue_t run(nm_backend_t *this)
{
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 3e8392a57..9beac392a 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -1,4 +1,6 @@
/*
+ * Copyright (C) 2017 Lubomir Rintel
+ *
* Copyright (C) 2013 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
@@ -14,8 +16,6 @@
* for more details.
*/
-#include <nm-setting-vpn.h>
-#include <nm-setting-connection.h>
#include "nm_service.h"
#include <daemon.h>
@@ -26,7 +26,7 @@
#include <stdio.h>
-G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
+G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
/**
* Private data of NMStrongswanPlugin
@@ -37,7 +37,7 @@ typedef struct {
/* IKE_SA we are listening on */
ike_sa_t *ike_sa;
/* backref to public plugin */
- NMVPNPlugin *plugin;
+ NMVpnServicePlugin *plugin;
/* credentials to use for authentication */
nm_creds_t *creds;
/* attribute handler for DNS/NBNS server information */
@@ -53,50 +53,46 @@ typedef struct {
/**
* convert enumerated handler chunks to a UINT_ARRAY GValue
*/
-static GValue* handler_to_val(nm_handler_t *handler,
+static GVariant* handler_to_variant(nm_handler_t *handler,
configuration_attribute_type_t type)
{
- GValue *val;
- GArray *array;
+ GVariantBuilder builder;
enumerator_t *enumerator;
chunk_t chunk;
+ g_variant_builder_init (&builder, G_VARIANT_TYPE ("au"));
+
enumerator = handler->create_enumerator(handler, type);
- array = g_array_new (FALSE, TRUE, sizeof (guint32));
while (enumerator->enumerate(enumerator, &chunk))
{
- g_array_append_val (array, *(uint32_t*)chunk.ptr);
+ g_variant_builder_add (&builder, "u",
+ g_variant_new_uint32 (*(uint32_t*)chunk.ptr));
}
enumerator->destroy(enumerator);
- val = g_slice_new0 (GValue);
- g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
- g_value_set_boxed (val, array);
- return val;
+ return g_variant_builder_end (&builder);
}
/**
* signal IPv4 config to NM, set connection as established
*/
-static void signal_ipv4_config(NMVPNPlugin *plugin,
+static void signal_ipv4_config(NMVpnServicePlugin *plugin,
ike_sa_t *ike_sa, child_sa_t *child_sa)
{
NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
- GValue *val;
- GHashTable *config;
+ GVariantBuilder builder;
enumerator_t *enumerator;
host_t *me, *other;
nm_handler_t *handler;
- config = g_hash_table_new(g_str_hash, g_str_equal);
+ g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
+
handler = priv->handler;
/* NM apparently requires to know the gateway */
- val = g_slice_new0 (GValue);
- g_value_init (val, G_TYPE_UINT);
other = ike_sa->get_other_host(ike_sa);
- g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr);
- g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY,
+ g_variant_new_uint32 (*(uint32_t*)other->get_address(other).ptr));
/* NM installs this IP address on the interface above, so we use the VIP if
* we got one.
@@ -107,47 +103,40 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
me = ike_sa->get_my_host(ike_sa);
}
enumerator->destroy(enumerator);
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, *(uint32_t*)me->get_address(me).ptr);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS,
+ g_variant_new_uint32 (*(uint32_t*)other->get_address(me).ptr));
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, me->get_address(me).len * 8);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
+ g_variant_new_uint32 (me->get_address(me).len * 8));
/* prevent NM from changing the default route. we set our own route in our
* own routing table
*/
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_BOOLEAN);
- g_value_set_boolean(val, TRUE);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, val);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
+ g_variant_new_boolean (TRUE));
- val = handler_to_val(handler, INTERNAL_IP4_DNS);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
- val = handler_to_val(handler, INTERNAL_IP4_NBNS);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
+ handler_to_variant(handler, INTERNAL_IP4_DNS));
+
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
+ handler_to_variant(handler, INTERNAL_IP4_NBNS));
handler->reset(handler);
- nm_vpn_plugin_set_ip4_config(plugin, config);
+ nm_vpn_service_plugin_set_ip4_config(plugin, g_variant_builder_end (&builder));
}
/**
* signal failure to NM, connecting failed
*/
-static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
+static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure)
{
nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
handler->reset(handler);
- /* TODO: NM does not handle this failure!? */
- nm_vpn_plugin_failure(plugin, failure);
- nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
+ nm_vpn_service_plugin_failure(plugin, failure);
}
/**
@@ -277,12 +266,12 @@ static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
/**
* Connect function called from NM via DBUS
*/
-static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
+static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
GError **err)
{
NMStrongswanPluginPrivate *priv;
NMSettingConnection *conn;
- NMSettingVPN *vpn;
+ NMSettingVpn *vpn;
enumerator_t *enumerator;
identification_t *user = NULL, *gateway = NULL;
const char *address, *str;
@@ -676,10 +665,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
/**
* NeedSecrets called from NM via DBUS
*/
-static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
- char **setting_name, GError **error)
+static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection,
+ const char **setting_name, GError **error)
{
- NMSettingVPN *settings;
+ NMSettingVpn *settings;
const char *method, *path;
settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
@@ -735,9 +724,9 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
}
/**
- * Disconnect called from NM via DBUS
+ * The actual disconnection
*/
-static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
+static gboolean do_disconnect(gpointer plugin)
{
NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
enumerator_t *enumerator;
@@ -755,17 +744,29 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
enumerator->destroy(enumerator);
charon->controller->terminate_ike(charon->controller, id,
controller_cb_empty, NULL, 0);
- return TRUE;
+ return FALSE;
}
}
enumerator->destroy(enumerator);
- g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
- "Connection not found.");
+ g_debug("Connection not found.");
return FALSE;
}
/**
+ * Disconnect called from NM via DBUS
+ */
+static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err)
+{
+ /* enqueue the actual disconnection, because we may be called in
+ * response to a listener_t callback and the SA enumeration would
+ * possibly deadlock. */
+ g_idle_add(do_disconnect, plugin);
+
+ return TRUE;
+}
+
+/**
* Initializer
*/
static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
@@ -773,7 +774,7 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
NMStrongswanPluginPrivate *priv;
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
- priv->plugin = NM_VPN_PLUGIN(plugin);
+ priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin);
memset(&priv->listener, 0, sizeof(listener_t));
priv->listener.child_updown = child_updown;
priv->listener.ike_rekey = ike_rekey;
@@ -786,7 +787,7 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
static void nm_strongswan_plugin_class_init(
NMStrongswanPluginClass *strongswan_class)
{
- NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
+ NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class);
g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
sizeof(NMStrongswanPluginPrivate));
@@ -801,10 +802,15 @@ static void nm_strongswan_plugin_class_init(
NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
nm_handler_t *handler)
{
- NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
+ GError *error = NULL;
+
+ NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new (
NM_TYPE_STRONGSWAN_PLUGIN,
- NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
+ NULL,
+ &error,
+ NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
NULL);
+
if (plugin)
{
NMStrongswanPluginPrivate *priv;
@@ -814,5 +820,11 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
priv->creds = creds;
priv->handler = handler;
}
+ else
+ {
+ g_warning ("Failed to initialize a plugin instance: %s", error->message);
+ g_error_free (error);
+ }
+
return plugin;
}
diff --git a/src/charon-nm/nm/nm_service.h b/src/charon-nm/nm/nm_service.h
index 0cb23e120..74ab38b03 100644
--- a/src/charon-nm/nm/nm_service.h
+++ b/src/charon-nm/nm/nm_service.h
@@ -23,7 +23,7 @@
#include <glib.h>
#include <glib-object.h>
-#include <nm-vpn-plugin.h>
+#include <NetworkManager.h>
#include "nm_creds.h"
#include "nm_handler.h"
@@ -40,11 +40,11 @@
#define NM_DBUS_PATH_STRONGSWAN "/org/freedesktop/NetworkManager/strongswan"
typedef struct {
- NMVPNPlugin parent;
+ NMVpnServicePlugin parent;
} NMStrongswanPlugin;
typedef struct {
- NMVPNPluginClass parent;
+ NMVpnServicePluginClass parent;
} NMStrongswanPluginClass;
GType nm_strongswan_plugin_get_type(void);
diff --git a/src/charon-tkm/src/ees/esa_event_service.adb b/src/charon-tkm/src/ees/esa_event_service.adb
index 5b5d7003b..6b6b3f743 100644
--- a/src/charon-tkm/src/ees/esa_event_service.adb
+++ b/src/charon-tkm/src/ees/esa_event_service.adb
@@ -27,10 +27,13 @@ package body Esa_Event_Service
is
package Unix_TCP_Receiver is new Anet.Receivers.Stream
- (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type);
+ (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type,
+ Address_Type => Anet.Sockets.Unix.Full_Path_Type,
+ Accept_Connection => Anet.Sockets.Unix.Accept_Connection);
procedure Dispatch is new Tkmrpc.Process_Stream
- (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch);
+ (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch,
+ Address_Type => Anet.Sockets.Unix.Full_Path_Type);
Sock : aliased Anet.Sockets.Unix.TCP_Socket_Type;
Receiver : Unix_TCP_Receiver.Receiver_Type (S => Sock'Access);
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 5f2cbfe0c..48d0001ce 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -1,5 +1,5 @@
/*
- * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index ed5366c2c..ac38078d7 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index f57527602..290b00e37 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -1,5 +1,5 @@
/*
- * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c
index 493ea2922..2b3e66d2d 100644
--- a/src/charon-tkm/src/tkm/tkm_nonceg.c
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.c
@@ -1,5 +1,5 @@
/*
- * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 8bba1f9d9..d4751f7d0 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -17,7 +17,7 @@
#include <tests/test_suite.h>
#include <daemon.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <encoding/payloads/ike_header.h>
#include <tkm/client.h>
diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c
index c4f8385c0..5e1cec089 100644
--- a/src/conftest/hooks/custom_proposal.c
+++ b/src/conftest/hooks/custom_proposal.c
@@ -18,7 +18,7 @@
#include <errno.h>
#include <encoding/payloads/sa_payload.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
typedef struct private_custom_proposal_t private_custom_proposal_t;
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 0da05d88c..36a69681d 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -47,7 +47,7 @@ enum guest_state_t {
extern enum_name_t *guest_state_names;
/**
- * Invoke function which lauches the UML guest.
+ * Invoke function which launches the UML guest.
*
* Consoles are all set to NULL, you may change them by adding additional UML
* options to args before invocation.
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 17c918f60..4028096f0 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.6.1rc1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.6.2dr3" "strongSwan"
.
.SH NAME
.
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index f381860b9..d1fb33702 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -16,7 +16,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \
config/child_cfg.c config/child_cfg.h \
config/ike_cfg.c config/ike_cfg.h \
config/peer_cfg.c config/peer_cfg.h \
-config/proposal.c config/proposal.h \
control/controller.c control/controller.h \
daemon.c daemon.h \
encoding/generator.c encoding/generator.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 964a19ec8..25ac7972c 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -14,7 +14,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \
config/child_cfg.c config/child_cfg.h \
config/ike_cfg.c config/ike_cfg.h \
config/peer_cfg.c config/peer_cfg.h \
-config/proposal.c config/proposal.h \
control/controller.c control/controller.h \
daemon.c daemon.h \
encoding/generator.c encoding/generator.h \
@@ -209,6 +208,13 @@ if MONOLITHIC
endif
endif
+if USE_SAVE_KEYS
+ SUBDIRS += plugins/save_keys
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/save_keys/libstrongswan-save-keys.la
+endif
+endif
+
if USE_SOCKET_DEFAULT
SUBDIRS += plugins/socket_default
if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index d3cbb0fb6..6c39317fa 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -155,150 +155,152 @@ host_triplet = @host@
@USE_LOAD_TESTER_TRUE@am__append_6 = plugins/load_tester
@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_7 = plugins/load_tester/libstrongswan-load-tester.la
-@USE_SOCKET_DEFAULT_TRUE@am__append_8 = plugins/socket_default
-@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_9 = plugins/socket_default/libstrongswan-socket-default.la
-@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic
-@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
-@USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win
-@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
-@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark
-@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la
-@USE_BYPASS_LAN_TRUE@am__append_16 = plugins/bypass_lan
-@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_17 = plugins/bypass_lan/libstrongswan-bypass-lan.la
-@USE_FORECAST_TRUE@am__append_18 = plugins/forecast
-@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_19 = plugins/forecast/libstrongswan-forecast.la
-@USE_FARP_TRUE@am__append_20 = plugins/farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_21 = plugins/farp/libstrongswan-farp.la
-@USE_COUNTERS_TRUE@am__append_22 = plugins/counters
-@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_23 = plugins/counters/libstrongswan-counters.la
-@USE_STROKE_TRUE@am__append_24 = plugins/stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_25 = plugins/stroke/libstrongswan-stroke.la
-@USE_VICI_TRUE@am__append_26 = plugins/vici
-@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_27 = plugins/vici/libstrongswan-vici.la
-@USE_SMP_TRUE@am__append_28 = plugins/smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_29 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_30 = plugins/sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_31 = plugins/sql/libstrongswan-sql.la
-@USE_DNSCERT_TRUE@am__append_32 = plugins/dnscert
-@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_33 = plugins/dnscert/libstrongswan-dnscert.la
-@USE_IPSECKEY_TRUE@am__append_34 = plugins/ipseckey
-@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_35 = plugins/ipseckey/libstrongswan-ipseckey.la
-@USE_UPDOWN_TRUE@am__append_36 = plugins/updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_37 = plugins/updown/libstrongswan-updown.la
-@USE_EXT_AUTH_TRUE@am__append_38 = plugins/ext_auth
-@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_39 = plugins/ext_auth/libstrongswan-ext-auth.la
-@USE_EAP_IDENTITY_TRUE@am__append_40 = plugins/eap_identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_41 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_42 = plugins/eap_sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_43 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_44 = plugins/eap_sim_file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_45 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIM_PCSC_TRUE@am__append_46 = plugins/eap_sim_pcsc
-@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_47 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_48 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_49 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_50 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_52 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_53 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_54 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_55 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP_TRUE@am__append_56 = plugins/eap_aka_3gpp
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_57 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_58 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_59 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_60 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_61 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_62 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_63 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_64 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_65 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_66 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_DYNAMIC_TRUE@am__append_67 = plugins/eap_dynamic
-@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_68 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
-@USE_EAP_RADIUS_TRUE@am__append_69 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_70 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_71 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_72 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_73 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_74 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_PEAP_TRUE@am__append_75 = plugins/eap_peap
-@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_76 = plugins/eap_peap/libstrongswan-eap-peap.la
-@USE_EAP_TNC_TRUE@am__append_77 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_78 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_79 = $(top_builddir)/src/libtls/libtls.la
-@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_80 = $(top_builddir)/src/libradius/libradius.la
-@USE_TNC_IFMAP_TRUE@am__append_81 = plugins/tnc_ifmap
-@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_82 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
-@USE_TNC_PDP_TRUE@am__append_83 = plugins/tnc_pdp
-@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_84 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
-@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_85 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_MEDSRV_TRUE@am__append_86 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_87 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_88 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_89 = plugins/medcli/libstrongswan-medcli.la
-@USE_DHCP_TRUE@am__append_90 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_91 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_OSX_ATTR_TRUE@am__append_92 = plugins/osx_attr
-@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_93 = plugins/osx_attr/libstrongswan-osx-attr.la
-@USE_P_CSCF_TRUE@am__append_94 = plugins/p_cscf
-@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_95 = plugins/p_cscf/libstrongswan-p-cscf.la
-@USE_ANDROID_DNS_TRUE@am__append_96 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_97 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_98 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_99 = plugins/android_log/libstrongswan-android-log.la
-@USE_HA_TRUE@am__append_100 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_101 = plugins/ha/libstrongswan-ha.la
-@USE_KERNEL_PFKEY_TRUE@am__append_102 = plugins/kernel_pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_103 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_104 = plugins/kernel_pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_105 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_NETLINK_TRUE@am__append_106 = plugins/kernel_netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_107 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-@USE_KERNEL_LIBIPSEC_TRUE@am__append_108 = plugins/kernel_libipsec
-@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_109 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
-@USE_KERNEL_WFP_TRUE@am__append_110 = plugins/kernel_wfp
-@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_111 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
-@USE_KERNEL_IPH_TRUE@am__append_112 = plugins/kernel_iph
-@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_113 = plugins/kernel_iph/libstrongswan-kernel-iph.la
-@USE_WHITELIST_TRUE@am__append_114 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_115 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_116 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_117 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_118 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_119 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_120 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_121 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_122 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_123 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_124 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_125 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_126 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_127 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_128 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_129 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_130 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_131 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_132 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_133 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_134 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_135 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_136 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_137 = plugins/unity/libstrongswan-unity.la
-@USE_XAUTH_GENERIC_TRUE@am__append_138 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_139 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_140 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_141 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_142 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_143 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_144 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_145 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
-@USE_RESOLVE_TRUE@am__append_146 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_147 = plugins/resolve/libstrongswan-resolve.la
-@USE_ATTR_TRUE@am__append_148 = plugins/attr
-@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_149 = plugins/attr/libstrongswan-attr.la
-@USE_ATTR_SQL_TRUE@am__append_150 = plugins/attr_sql
-@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_151 = plugins/attr_sql/libstrongswan-attr-sql.la
+@USE_SAVE_KEYS_TRUE@am__append_8 = plugins/save_keys
+@MONOLITHIC_TRUE@@USE_SAVE_KEYS_TRUE@am__append_9 = plugins/save_keys/libstrongswan-save-keys.la
+@USE_SOCKET_DEFAULT_TRUE@am__append_10 = plugins/socket_default
+@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_11 = plugins/socket_default/libstrongswan-socket-default.la
+@USE_SOCKET_DYNAMIC_TRUE@am__append_12 = plugins/socket_dynamic
+@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_13 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+@USE_SOCKET_WIN_TRUE@am__append_14 = plugins/socket_win
+@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_15 = plugins/socket_win/libstrongswan-socket-win.la
+@USE_CONNMARK_TRUE@am__append_16 = plugins/connmark
+@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_17 = plugins/connmark/libstrongswan-connmark.la
+@USE_BYPASS_LAN_TRUE@am__append_18 = plugins/bypass_lan
+@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_19 = plugins/bypass_lan/libstrongswan-bypass-lan.la
+@USE_FORECAST_TRUE@am__append_20 = plugins/forecast
+@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_21 = plugins/forecast/libstrongswan-forecast.la
+@USE_FARP_TRUE@am__append_22 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_23 = plugins/farp/libstrongswan-farp.la
+@USE_COUNTERS_TRUE@am__append_24 = plugins/counters
+@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_25 = plugins/counters/libstrongswan-counters.la
+@USE_STROKE_TRUE@am__append_26 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_27 = plugins/stroke/libstrongswan-stroke.la
+@USE_VICI_TRUE@am__append_28 = plugins/vici
+@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_29 = plugins/vici/libstrongswan-vici.la
+@USE_SMP_TRUE@am__append_30 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_31 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_32 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_33 = plugins/sql/libstrongswan-sql.la
+@USE_DNSCERT_TRUE@am__append_34 = plugins/dnscert
+@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_35 = plugins/dnscert/libstrongswan-dnscert.la
+@USE_IPSECKEY_TRUE@am__append_36 = plugins/ipseckey
+@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_37 = plugins/ipseckey/libstrongswan-ipseckey.la
+@USE_UPDOWN_TRUE@am__append_38 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_39 = plugins/updown/libstrongswan-updown.la
+@USE_EXT_AUTH_TRUE@am__append_40 = plugins/ext_auth
+@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_41 = plugins/ext_auth/libstrongswan-ext-auth.la
+@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_43 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_44 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_46 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_47 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_48 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_49 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_50 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_56 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP_TRUE@am__append_58 = plugins/eap_aka_3gpp
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_59 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_62 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_63 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_65 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_66 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_67 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_68 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_DYNAMIC_TRUE@am__append_69 = plugins/eap_dynamic
+@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_70 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+@USE_EAP_RADIUS_TRUE@am__append_71 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_72 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_73 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_74 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_75 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_76 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_77 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_78 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_79 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_80 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_81 = $(top_builddir)/src/libtls/libtls.la
+@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_82 = $(top_builddir)/src/libradius/libradius.la
+@USE_TNC_IFMAP_TRUE@am__append_83 = plugins/tnc_ifmap
+@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_84 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+@USE_TNC_PDP_TRUE@am__append_85 = plugins/tnc_pdp
+@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_86 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_87 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_MEDSRV_TRUE@am__append_88 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_89 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_90 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_91 = plugins/medcli/libstrongswan-medcli.la
+@USE_DHCP_TRUE@am__append_92 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_93 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_OSX_ATTR_TRUE@am__append_94 = plugins/osx_attr
+@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_95 = plugins/osx_attr/libstrongswan-osx-attr.la
+@USE_P_CSCF_TRUE@am__append_96 = plugins/p_cscf
+@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_97 = plugins/p_cscf/libstrongswan-p-cscf.la
+@USE_ANDROID_DNS_TRUE@am__append_98 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_99 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_100 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_101 = plugins/android_log/libstrongswan-android-log.la
+@USE_HA_TRUE@am__append_102 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_103 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_PFKEY_TRUE@am__append_104 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_105 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_106 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_107 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_NETLINK_TRUE@am__append_108 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_109 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_110 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_111 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_KERNEL_WFP_TRUE@am__append_112 = plugins/kernel_wfp
+@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_113 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+@USE_KERNEL_IPH_TRUE@am__append_114 = plugins/kernel_iph
+@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_115 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+@USE_WHITELIST_TRUE@am__append_116 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_117 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_118 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_119 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_120 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_121 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_122 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_123 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_124 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_125 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_126 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_127 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_128 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_129 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_130 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_131 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_132 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_133 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_134 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_135 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_136 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_137 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_138 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_139 = plugins/unity/libstrongswan-unity.la
+@USE_XAUTH_GENERIC_TRUE@am__append_140 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_141 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_142 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_143 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_144 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_145 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_146 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_147 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_RESOLVE_TRUE@am__append_148 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_149 = plugins/resolve/libstrongswan-resolve.la
+@USE_ATTR_TRUE@am__append_150 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_151 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_152 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_153 = plugins/attr_sql/libstrongswan-attr-sql.la
subdir = src/libcharon
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -361,12 +363,12 @@ libcharon_la_DEPENDENCIES = \
$(am__append_41) $(am__append_43) $(am__append_45) \
$(am__append_47) $(am__append_49) $(am__append_51) \
$(am__append_53) $(am__append_55) $(am__append_57) \
- $(am__append_59) $(am__append_60) $(am__append_62) \
+ $(am__append_59) $(am__append_61) $(am__append_62) \
$(am__append_64) $(am__append_66) $(am__append_68) \
$(am__append_70) $(am__append_72) $(am__append_74) \
- $(am__append_76) $(am__append_78) $(am__append_79) \
- $(am__append_80) $(am__append_82) $(am__append_84) \
- $(am__append_85) $(am__append_87) $(am__append_89) \
+ $(am__append_76) $(am__append_78) $(am__append_80) \
+ $(am__append_81) $(am__append_82) $(am__append_84) \
+ $(am__append_86) $(am__append_87) $(am__append_89) \
$(am__append_91) $(am__append_93) $(am__append_95) \
$(am__append_97) $(am__append_99) $(am__append_101) \
$(am__append_103) $(am__append_105) $(am__append_107) \
@@ -377,7 +379,7 @@ libcharon_la_DEPENDENCIES = \
$(am__append_133) $(am__append_135) $(am__append_137) \
$(am__append_139) $(am__append_141) $(am__append_143) \
$(am__append_145) $(am__append_147) $(am__append_149) \
- $(am__append_151)
+ $(am__append_151) $(am__append_153)
am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
attributes/attributes.h attributes/attribute_provider.h \
attributes/attribute_handler.h attributes/attribute_manager.c \
@@ -388,11 +390,11 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
bus/listeners/file_logger.h config/backend_manager.c \
config/backend_manager.h config/backend.h config/child_cfg.c \
config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
- config/peer_cfg.c config/peer_cfg.h config/proposal.c \
- config/proposal.h control/controller.c control/controller.h \
- daemon.c daemon.h encoding/generator.c encoding/generator.h \
- encoding/message.c encoding/message.h encoding/parser.c \
- encoding/parser.h encoding/payloads/auth_payload.c \
+ config/peer_cfg.c config/peer_cfg.h control/controller.c \
+ control/controller.h daemon.c daemon.h encoding/generator.c \
+ encoding/generator.h encoding/message.c encoding/message.h \
+ encoding/parser.c encoding/parser.h \
+ encoding/payloads/auth_payload.c \
encoding/payloads/auth_payload.h \
encoding/payloads/cert_payload.c \
encoding/payloads/cert_payload.h \
@@ -609,10 +611,9 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \
attributes/attribute_manager.lo attributes/mem_pool.lo \
bus/bus.lo bus/listeners/file_logger.lo \
config/backend_manager.lo config/child_cfg.lo \
- config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \
- control/controller.lo daemon.lo encoding/generator.lo \
- encoding/message.lo encoding/parser.lo \
- encoding/payloads/auth_payload.lo \
+ config/ike_cfg.lo config/peer_cfg.lo control/controller.lo \
+ daemon.lo encoding/generator.lo encoding/message.lo \
+ encoding/parser.lo encoding/payloads/auth_payload.lo \
encoding/payloads/cert_payload.lo \
encoding/payloads/certreq_payload.lo \
encoding/payloads/configuration_attribute.lo \
@@ -744,22 +745,23 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
-DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
- plugins/socket_dynamic plugins/socket_win plugins/connmark \
- plugins/bypass_lan plugins/forecast plugins/farp \
- plugins/counters plugins/stroke plugins/vici plugins/smp \
- plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \
- plugins/ext_auth plugins/eap_identity plugins/eap_sim \
- plugins/eap_sim_file plugins/eap_sim_pcsc \
- plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
- plugins/eap_simaka_reauth plugins/eap_aka plugins/eap_aka_3gpp \
- plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
- plugins/eap_mschapv2 plugins/eap_dynamic plugins/eap_radius \
- plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
- plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
- plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \
- plugins/p_cscf plugins/android_dns plugins/android_log \
- plugins/ha plugins/kernel_pfkey plugins/kernel_pfroute \
+DIST_SUBDIRS = . plugins/load_tester plugins/save_keys \
+ plugins/socket_default plugins/socket_dynamic \
+ plugins/socket_win plugins/connmark plugins/bypass_lan \
+ plugins/forecast plugins/farp plugins/counters plugins/stroke \
+ plugins/vici plugins/smp plugins/sql plugins/dnscert \
+ plugins/ipseckey plugins/updown plugins/ext_auth \
+ plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
+ plugins/eap_sim_pcsc plugins/eap_simaka_sql \
+ plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
+ plugins/eap_aka plugins/eap_aka_3gpp plugins/eap_aka_3gpp2 \
+ plugins/eap_md5 plugins/eap_gtc plugins/eap_mschapv2 \
+ plugins/eap_dynamic plugins/eap_radius plugins/eap_tls \
+ plugins/eap_ttls plugins/eap_peap plugins/eap_tnc \
+ plugins/tnc_ifmap plugins/tnc_pdp plugins/medsrv \
+ plugins/medcli plugins/dhcp plugins/osx_attr plugins/p_cscf \
+ plugins/android_dns plugins/android_log plugins/ha \
+ plugins/kernel_pfkey plugins/kernel_pfroute \
plugins/kernel_netlink plugins/kernel_libipsec \
plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \
plugins/lookip plugins/error_notify plugins/certexpire \
@@ -1043,11 +1045,11 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
bus/listeners/file_logger.h config/backend_manager.c \
config/backend_manager.h config/backend.h config/child_cfg.c \
config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
- config/peer_cfg.c config/peer_cfg.h config/proposal.c \
- config/proposal.h control/controller.c control/controller.h \
- daemon.c daemon.h encoding/generator.c encoding/generator.h \
- encoding/message.c encoding/message.h encoding/parser.c \
- encoding/parser.h encoding/payloads/auth_payload.c \
+ config/peer_cfg.c config/peer_cfg.h control/controller.c \
+ control/controller.h daemon.c daemon.h encoding/generator.c \
+ encoding/generator.h encoding/message.c encoding/message.h \
+ encoding/parser.c encoding/parser.h \
+ encoding/payloads/auth_payload.c \
encoding/payloads/auth_payload.h \
encoding/payloads/cert_payload.c \
encoding/payloads/cert_payload.h \
@@ -1163,11 +1165,11 @@ libcharon_la_LIBADD = \
$(am__append_43) $(am__append_45) $(am__append_47) \
$(am__append_49) $(am__append_51) $(am__append_53) \
$(am__append_55) $(am__append_57) $(am__append_59) \
- $(am__append_60) $(am__append_62) $(am__append_64) \
+ $(am__append_61) $(am__append_62) $(am__append_64) \
$(am__append_66) $(am__append_68) $(am__append_70) \
$(am__append_72) $(am__append_74) $(am__append_76) \
- $(am__append_78) $(am__append_79) $(am__append_80) \
- $(am__append_82) $(am__append_84) $(am__append_85) \
+ $(am__append_78) $(am__append_80) $(am__append_81) \
+ $(am__append_82) $(am__append_84) $(am__append_86) \
$(am__append_87) $(am__append_89) $(am__append_91) \
$(am__append_93) $(am__append_95) $(am__append_97) \
$(am__append_99) $(am__append_101) $(am__append_103) \
@@ -1178,7 +1180,8 @@ libcharon_la_LIBADD = \
$(am__append_129) $(am__append_131) $(am__append_133) \
$(am__append_135) $(am__append_137) $(am__append_139) \
$(am__append_141) $(am__append_143) $(am__append_145) \
- $(am__append_147) $(am__append_149) $(am__append_151)
+ $(am__append_147) $(am__append_149) $(am__append_151) \
+ $(am__append_153)
EXTRA_DIST = Android.mk
@STATIC_PLUGIN_CONSTRUCTORS_TRUE@BUILT_SOURCES = $(srcdir)/plugin_constructors.c
@STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c
@@ -1195,13 +1198,13 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \
@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \
@MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \
-@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_61) \
+@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_60) \
@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \
@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \
@MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \
@MONOLITHIC_FALSE@ $(am__append_75) $(am__append_77) \
-@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \
-@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \
+@MONOLITHIC_FALSE@ $(am__append_79) $(am__append_83) \
+@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_88) \
@MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \
@MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \
@MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \
@@ -1217,7 +1220,7 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \
@MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \
@MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) \
-@MONOLITHIC_FALSE@ $(am__append_150) tests
+@MONOLITHIC_FALSE@ $(am__append_150) $(am__append_152) tests
# build optional plugins
########################
@@ -1234,13 +1237,13 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \
@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \
@MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \
-@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_61) \
+@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_60) \
@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \
@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \
@MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \
@MONOLITHIC_TRUE@ $(am__append_75) $(am__append_77) \
-@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \
-@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \
+@MONOLITHIC_TRUE@ $(am__append_79) $(am__append_83) \
+@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_88) \
@MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \
@MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \
@MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \
@@ -1256,7 +1259,7 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \
@MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \
@MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) \
-@MONOLITHIC_TRUE@ $(am__append_150) . tests
+@MONOLITHIC_TRUE@ $(am__append_150) $(am__append_152) . tests
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -1367,8 +1370,6 @@ config/ike_cfg.lo: config/$(am__dirstamp) \
config/$(DEPDIR)/$(am__dirstamp)
config/peer_cfg.lo: config/$(am__dirstamp) \
config/$(DEPDIR)/$(am__dirstamp)
-config/proposal.lo: config/$(am__dirstamp) \
- config/$(DEPDIR)/$(am__dirstamp)
control/$(am__dirstamp):
@$(MKDIR_P) control
@: > control/$(am__dirstamp)
@@ -1784,7 +1785,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/child_cfg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/ike_cfg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/peer_cfg.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/proposal.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@control/$(DEPDIR)/controller.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/generator.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/message.Plo@am__quote@
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index ec2a12431..3d110e9a2 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -224,6 +224,10 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
while (prefer_enum->enumerate(prefer_enum, &proposal))
{
proposal = proposal->clone(proposal);
+ if (strip_dh)
+ {
+ proposal->strip_dh(proposal, MODP_NONE);
+ }
if (prefer_self)
{
proposals->reset_enumerator(proposals, match_enum);
@@ -234,11 +238,13 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
}
while (match_enum->enumerate(match_enum, &match))
{
+ match = match->clone(match);
if (strip_dh)
{
- proposal->strip_dh(proposal, MODP_NONE);
+ match->strip_dh(match, MODP_NONE);
}
selected = proposal->select(proposal, match, prefer_self, private);
+ match->destroy(match);
if (selected)
{
DBG2(DBG_CFG, "received proposals: %#P", proposals);
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 93904ec71..e2834fa8f 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -31,7 +31,7 @@ typedef struct child_cfg_create_t child_cfg_create_t;
#include <library.h>
#include <selectors/traffic_selector.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <kernel/kernel_ipsec.h>
/**
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 034996f60..81f2b6906 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -31,7 +31,7 @@ typedef struct ike_cfg_t ike_cfg_t;
#include <networking/host.h>
#include <collections/linked_list.h>
#include <utils/identification.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <crypto/diffie_hellman.h>
/**
@@ -61,7 +61,7 @@ enum fragmentation_t {
};
/**
- * enum strings fro ike_version_t
+ * enum strings for ike_version_t
*/
extern enum_name_t *ike_version_names;
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index b294ae72f..6074a7cd4 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -32,7 +32,7 @@ typedef struct peer_cfg_create_t peer_cfg_create_t;
#include <utils/identification.h>
#include <collections/enumerator.h>
#include <selectors/traffic_selector.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <config/ike_cfg.h>
#include <config/child_cfg.h>
#include <credentials/auth_cfg.h>
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 7c9f83d12..e4b819710 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -55,7 +55,6 @@
#include <bus/listeners/sys_logger.h>
#include <bus/listeners/file_logger.h>
#include <collections/array.h>
-#include <config/proposal.h>
#include <plugins/plugin_feature.h>
#include <kernel/kernel_handler.h>
#include <processing/jobs/start_action_job.h>
@@ -989,11 +988,6 @@ bool libcharon_init()
dbg_old = dbg;
dbg = dbg_bus;
- lib->printf_hook->add_handler(lib->printf_hook, 'P',
- proposal_printf_hook,
- PRINTF_HOOK_ARGTYPE_POINTER,
- PRINTF_HOOK_ARGTYPE_END);
-
if (lib->integrity &&
!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
{
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
index 375530776..9c7fe8979 100644
--- a/src/libcharon/encoding/generator.h
+++ b/src/libcharon/encoding/generator.h
@@ -35,8 +35,8 @@ typedef struct generator_t generator_t;
* method. The generated bytes are appended. After all payloads are added,
* the write_to_chunk method writes out all generated data since
* the creation of the generator.
- * The generater uses a set of encoding rules, which it can get from
- * the supplied payload. With this rules, the generater can generate
+ * The generator uses a set of encoding rules, which it can get from
+ * the supplied payload. With this rules, the generator can generate
* the payload and all substructures automatically.
*/
struct generator_t {
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 6d850aac0..735526e3c 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -657,6 +657,7 @@ static payload_rule_t quick_mode_i_rules[] = {
{PLV1_ID, 0, 2, TRUE, FALSE},
{PLV1_NAT_OA, 0, 2, TRUE, FALSE},
{PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE},
+ {PLV1_FRAGMENT, 0, 1, FALSE, TRUE},
};
/**
@@ -673,6 +674,7 @@ static payload_order_t quick_mode_i_order[] = {
{PLV1_ID, 0},
{PLV1_NAT_OA, 0},
{PLV1_NAT_OA_DRAFT_00_03, 0},
+ {PLV1_FRAGMENT, 0},
};
/**
@@ -689,6 +691,7 @@ static payload_rule_t quick_mode_r_rules[] = {
{PLV1_ID, 0, 2, TRUE, FALSE},
{PLV1_NAT_OA, 0, 2, TRUE, FALSE},
{PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE},
+ {PLV1_FRAGMENT, 0, 1, FALSE, TRUE},
};
/**
@@ -705,6 +708,7 @@ static payload_order_t quick_mode_r_order[] = {
{PLV1_ID, 0},
{PLV1_NAT_OA, 0},
{PLV1_NAT_OA_DRAFT_00_03, 0},
+ {PLV1_FRAGMENT, 0},
};
/**
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 796c10890..cad597e58 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -29,7 +29,7 @@ typedef struct proposal_substructure_t proposal_substructure_t;
#include <library.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/transform_substructure.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <collections/linked_list.h>
#include <kernel/kernel_ipsec.h>
#include <sa/authenticator.h>
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index cb75f1ea7..a9d4f9f7d 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -32,7 +32,7 @@ typedef struct transform_substructure_t transform_substructure_t;
#include <crypto/signers/signer.h>
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
/**
* IKEv1 Value for a transform payload.
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 3d736b25b..91ca259ef 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -351,7 +351,7 @@ METHOD(kernel_interface_t, alloc_reqid, status_t,
if (entry)
{
/* we don't require a traffic selector match for explicit reqids,
- * as we wan't to reuse a reqid for trap-triggered policies that
+ * as we want to reuse a reqid for trap-triggered policies that
* got narrowed during negotiation. */
reqid_entry_destroy(tmpl);
}
diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.h b/src/libcharon/plugins/certexpire/certexpire_cron.h
index 0d6623d7f..3e1005b23 100644
--- a/src/libcharon/plugins/certexpire/certexpire_cron.h
+++ b/src/libcharon/plugins/certexpire/certexpire_cron.h
@@ -38,7 +38,7 @@ struct certexpire_cron_t {
/**
* Destroy a certexpire_cron_t.
*
- * It currently is not possible to savely cancel a cron job. Make sure
+ * It currently is not possible to safely cancel a cron job. Make sure
* any scheduled jobs have been canceled before cleaning up.
*/
void (*destroy)(certexpire_cron_t *this);
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 58bbc2edd..8188bb764 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -92,7 +92,7 @@ static void destroy_attr(attr_t *this)
* Hashtable entry with leases and attributes
*/
typedef struct {
- /** IKE_SA uniqe id we assign the IP lease */
+ /** IKE_SA unique id we assign the IP lease */
uintptr_t id;
/** list of IP leases received from AAA, as host_t */
linked_list_t *addrs;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
index 0fea50919..705fb188d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -72,7 +72,7 @@ struct private_eap_radius_xauth_t {
xauth_round_t round;
/**
- * Concatentated password of all rounds
+ * Concatenated password of all rounds
*/
chunk_t pass;
};
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 0e83b1642..fb8d22915 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -335,7 +335,7 @@ METHOD(listener_t, message_hook, bool,
chunk_t iv;
/* we need the last block (or expected next IV) of Phase 1, which gets
- * upated after successful en-/decryption depending on direction */
+ * updated after successful en-/decryption depending on direction */
if (incoming == plain)
{
if (message->get_message_id(message) == 0)
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index e41e78bbf..d23e45e0b 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -1,6 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -52,6 +53,11 @@ struct private_ha_socket_t {
* remote host to receive/send to
*/
host_t *remote;
+
+ /**
+ * Receive buffer size
+ */
+ u_int buflen;
};
/**
@@ -120,13 +126,26 @@ METHOD(ha_socket_t, pull, ha_message_t*,
while (TRUE)
{
ha_message_t *message;
- char buf[1024];
+ char buf[this->buflen];
+ struct iovec iov = {
+ .iov_base = buf,
+ .iov_len = this->buflen,
+ };
+ struct msghdr msg = {
+ .msg_iov = &iov,
+ .msg_iovlen = 1,
+ };
bool oldstate;
ssize_t len;
oldstate = thread_cancelability(TRUE);
- len = recv(this->fd, buf, sizeof(buf), 0);
+ len = recvmsg(this->fd, &msg, 0);
thread_cancelability(oldstate);
+ if (msg.msg_flags & MSG_TRUNC)
+ {
+ DBG1(DBG_CFG, "HA message exceeds receive buffer");
+ continue;
+ }
if (len <= 0)
{
switch (errno)
@@ -208,6 +227,8 @@ ha_socket_t *ha_socket_create(char *local, char *remote)
},
.local = host_create_from_dns(local, 0, HA_PORT),
.remote = host_create_from_dns(remote, 0, HA_PORT),
+ .buflen = lib->settings->get_int(lib->settings,
+ "%s.plugins.ha.buflen", 2048, lib->ns),
.fd = -1,
);
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index a21d0ae7f..c3f92f500 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -78,6 +78,9 @@
#define ROUTING_TABLE_PRIO 0
#endif
+/** multicast groups (for groups > 31 setsockopt has to be used) */
+#define nl_group(group) (1 << (group - 1))
+
ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE,
"RTM_NEWLINK",
"RTM_DELLINK",
@@ -473,6 +476,11 @@ struct private_kernel_netlink_net_t {
bool process_route;
/**
+ * whether to react to RTM_NEWRULE or RTM_DELRULE events
+ */
+ bool process_rules;
+
+ /**
* whether to trigger roam events
*/
bool roam_events;
@@ -1452,6 +1460,45 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
}
/**
+ * process RTM_NEW|DELRULE from kernel
+ */
+static void process_rule(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
+{
+#ifdef HAVE_LINUX_FIB_RULES_H
+ struct rtmsg* msg = NLMSG_DATA(hdr);
+ struct rtattr *rta = RTM_RTA(msg);
+ size_t rtasize = RTM_PAYLOAD(hdr);
+ uint32_t table = 0;
+
+ /* ignore rules added by us or in the local routing table (local addrs) */
+ if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
+ msg->rtm_table == RT_TABLE_LOCAL))
+ {
+ return;
+ }
+
+ while (RTA_OK(rta, rtasize))
+ {
+ switch (rta->rta_type)
+ {
+ case FRA_TABLE:
+ if (RTA_PAYLOAD(rta) == sizeof(table))
+ {
+ table = *(uint32_t*)RTA_DATA(rta);
+ }
+ break;
+ }
+ rta = RTA_NEXT(rta, rtasize);
+ }
+ if (table && table == this->routing_table)
+ { /* also check against extended table ID */
+ return;
+ }
+ fire_roam_event(this, FALSE);
+#endif
+}
+
+/**
* Receives events from kernel
*/
static bool receive_events(private_kernel_netlink_net_t *this, int fd,
@@ -1508,6 +1555,13 @@ static bool receive_events(private_kernel_netlink_net_t *this, int fd,
process_route(this, hdr);
}
break;
+ case RTM_NEWRULE:
+ case RTM_DELRULE:
+ if (this->process_rules)
+ {
+ process_rule(this, hdr);
+ }
+ break;
default:
break;
}
@@ -2333,7 +2387,9 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
if (ip->get_family(ip) == AF_INET6)
{
+#ifdef IFA_F_NODAD
msg->ifa_flags |= IFA_F_NODAD;
+#endif
if (this->rta_prefsrc_for_ipv6)
{
/* if source routes are possible we let the virtual IP get
@@ -2983,6 +3039,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
"%s.prefer_temporary_addrs", FALSE, lib->ns),
.roam_events = lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns),
+ .process_rules = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.process_rules", FALSE, lib->ns),
.mtu = lib->settings->get_int(lib->settings,
"%s.plugins.kernel-netlink.mtu", 0, lib->ns),
.mss = lib->settings->get_int(lib->settings,
@@ -3035,8 +3093,19 @@ kernel_netlink_net_t *kernel_netlink_net_create()
destroy(this);
return NULL;
}
- addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
- RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
+ addr.nl_groups = nl_group(RTNLGRP_IPV4_IFADDR) |
+ nl_group(RTNLGRP_IPV6_IFADDR) |
+ nl_group(RTNLGRP_LINK);
+ if (this->process_route)
+ {
+ addr.nl_groups |= nl_group(RTNLGRP_IPV4_ROUTE) |
+ nl_group(RTNLGRP_IPV6_ROUTE);
+ }
+ if (this->process_rules)
+ {
+ addr.nl_groups |= nl_group(RTNLGRP_IPV4_RULE) |
+ nl_group(RTNLGRP_IPV6_RULE);
+ }
if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
{
DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)",
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 710107889..79abe587a 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1752,13 +1752,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
#ifdef SADB_X_EXT_SA_REPLAY
if (data->inbound)
{
- struct sadb_x_sa_replay *replay;
+ struct sadb_x_sa_replay *repl;
- replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg);
- replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY;
- replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay));
- replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32);
- PFKEY_EXT_ADD(msg, replay);
+ repl = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg);
+ repl->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
+ repl->sadb_x_sa_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay));
+ repl->sadb_x_sa_replay_replay = min(data->replay_window, UINT32_MAX-32);
+ PFKEY_EXT_ADD(msg, repl);
}
#endif
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 774fcf5c8..0f36e7be3 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -1982,7 +1982,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
- /* To avoid sequencial SPIs, we use a one-to-one permuation function on
+ /* To avoid sequential SPIs, we use a one-to-one permutation function on
* an incrementing counter, that is a full period PRNG for the range we
* allocate SPIs in. We add some randomness using a fixed XOR and start
* the counter at random position. This is not cryptographically safe,
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index a6c32d65d..8324dd14f 100644
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -33,7 +33,7 @@ struct private_lookip_plugin_t {
lookip_plugin_t public;
/**
- * Listener collecting virtual IP assignements
+ * Listener collecting virtual IP assignments
*/
lookip_listener_t *listener;
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
index e7a627b93..6f19a03d5 100644
--- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
@@ -150,7 +150,7 @@ static bool manage_dns(private_osx_attr_handler_t *this,
if (add)
{
if (!this->append && !this->original)
- { /* backup orignal config, start with empty set */
+ { /* backup original config, start with empty set */
this->original = arr;
arr = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
}
diff --git a/src/libcharon/plugins/save_keys/Makefile.am b/src/libcharon/plugins/save_keys/Makefile.am
new file mode 100644
index 000000000..a41668bb5
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/Makefile.am
@@ -0,0 +1,18 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-save-keys.la
+else
+plugin_LTLIBRARIES = libstrongswan-save-keys.la
+endif
+
+libstrongswan_save_keys_la_SOURCES = \
+ save_keys_plugin.h save_keys_plugin.c \
+ save_keys_listener.c save_keys_listener.h
+
+libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/save_keys/Makefile.in b/src/libcharon/plugins/save_keys/Makefile.in
new file mode 100644
index 000000000..a56d8eacd
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/Makefile.in
@@ -0,0 +1,803 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/save_keys
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_save_keys_la_LIBADD =
+am_libstrongswan_save_keys_la_OBJECTS = save_keys_plugin.lo \
+ save_keys_listener.lo
+libstrongswan_save_keys_la_OBJECTS = \
+ $(am_libstrongswan_save_keys_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_save_keys_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_save_keys_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_save_keys_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_save_keys_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_save_keys_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_save_keys_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FUZZING_LDFLAGS = @FUZZING_LDFLAGS@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPERF_LEN_TYPE = @GPERF_LEN_TYPE@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-save-keys.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-save-keys.la
+libstrongswan_save_keys_la_SOURCES = \
+ save_keys_plugin.h save_keys_plugin.c \
+ save_keys_listener.c save_keys_listener.h
+
+libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-save-keys.la: $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_DEPENDENCIES) $(EXTRA_libstrongswan_save_keys_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_save_keys_la_LINK) $(am_libstrongswan_save_keys_la_rpath) $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.c b/src/libcharon/plugins/save_keys/save_keys_listener.c
new file mode 100644
index 000000000..fc16f20e6
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/save_keys_listener.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com)
+ * Copyright (C) 2016 IXIA (http://www.ixiacom.com)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#define _GNU_SOURCE
+
+#include "save_keys_listener.h"
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <errno.h>
+
+#include <daemon.h>
+
+typedef struct private_save_keys_listener_t private_save_keys_listener_t;
+typedef struct algo_map_t algo_map_t;
+
+/**
+ * Name for IKEv1 decryption table file
+ */
+static char *ikev1_name = "ikev1_decryption_table";
+
+/**
+ * Name for IKEv2 decryption table file
+ */
+static char *ikev2_name = "ikev2_decryption_table";
+
+/**
+ * Name for esp decryption table file
+ */
+static char *esp_name = "esp_sa";
+
+/**
+ * Private data.
+ */
+struct private_save_keys_listener_t {
+
+ /**
+ * Public interface.
+ */
+ save_keys_listener_t public;
+
+ /**
+ * Path to the directory where the decryption tables will be stored.
+ */
+ char *path;
+
+ /**
+ * Whether to save IKE keys
+ */
+ bool ike;
+
+ /**
+ * Whether to save ESP keys
+ */
+ bool esp;
+};
+
+METHOD(save_keys_listener_t, destroy, void,
+ private_save_keys_listener_t *this)
+{
+ free(this);
+}
+
+/**
+ * Mapping strongSwan identifiers to Wireshark names
+ */
+struct algo_map_t {
+
+ /**
+ * IKE identifier
+ */
+ const uint16_t ike;
+
+ /**
+ * Optional key length
+ */
+ const int key_len;
+
+ /**
+ * Name of the algorithm in wireshark
+ */
+ const char *name;
+};
+
+/**
+ * Map an algorithm identifier to a name
+ */
+static inline const char *algo_name(algo_map_t *map, int count,
+ uint16_t alg, int key_len)
+{
+ int i;
+
+ for (i = 0; i < count; i++)
+ {
+ if (map[i].ike == alg)
+ {
+ if (map[i].key_len == -1 || map[i].key_len == key_len)
+ {
+ return map[i].name;
+ }
+ }
+ }
+ return NULL;
+}
+
+/**
+ * Wireshark IKE algorithm identifiers for encryption
+ */
+static algo_map_t ike_encr[] = {
+ { ENCR_3DES, -1, "3DES [RFC2451]" },
+ { ENCR_NULL, -1, "NULL [RFC2410]" },
+ { ENCR_AES_CBC, 128, "AES-CBC-128 [RFC3602]" },
+ { ENCR_AES_CBC, 192, "AES-CBC-192 [RFC3602]" },
+ { ENCR_AES_CBC, 256, "AES-CBC-256 [RFC3602]" },
+ { ENCR_AES_CTR, 128, "AES-CTR-128 [RFC5930]" },
+ { ENCR_AES_CTR, 192, "AES-CTR-192 [RFC5930]" },
+ { ENCR_AES_CTR, 256, "AES-CTR-256 [RFC5930]" },
+ { ENCR_AES_GCM_ICV8, 128, "AES-GCM-128 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV8, 192, "AES-GCM-192 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV8, 256, "AES-GCM-256 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV12, 128, "AES-GCM-128 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV12, 192, "AES-GCM-192 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV12, 256, "AES-GCM-256 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV16, 128, "AES-GCM-128 with 16 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV16, 192, "AES-GCM-192 with 16 octet ICV [RFC5282]" },
+ { ENCR_AES_GCM_ICV16, 256, "AES-GCM-256 with 16 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV8, 128, "AES-CCM-128 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV8, 192, "AES-CCM-192 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV8, 256, "AES-CCM-256 with 8 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV12, 128, "AES-CCM-128 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV12, 192, "AES-CCM-192 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV12, 256, "AES-CCM-256 with 12 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV16, 128, "AES-CCM-128 with 16 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV16, 192, "AES-CCM-192 with 16 octet ICV [RFC5282]" },
+ { ENCR_AES_CCM_ICV16, 256, "AES-CCM-256 with 16 octet ICV [RFC5282]" },
+};
+
+/**
+ * Wireshark IKE algorithms for integrity
+ */
+static algo_map_t ike_integ[] = {
+ { AUTH_HMAC_MD5_96, -1, "HMAC_MD5_96 [RFC2403]" },
+ { AUTH_HMAC_SHA1_96, -1, "HMAC_SHA1_96 [RFC2404]" },
+ { AUTH_HMAC_MD5_128, -1, "HMAC_MD5_128 [RFC4595]" },
+ { AUTH_HMAC_SHA1_160, -1, "HMAC_SHA1_160 [RFC4595]" },
+ { AUTH_HMAC_SHA2_256_128, -1, "HMAC_SHA2_256_128 [RFC4868]" },
+ { AUTH_HMAC_SHA2_384_192, -1, "HMAC_SHA2_384_192 [RFC4868]" },
+ { AUTH_HMAC_SHA2_512_256, -1, "HMAC_SHA2_512_256 [RFC4868]" },
+ { AUTH_HMAC_SHA2_256_96, -1, "HMAC_SHA2_256_96 [draft-ietf-ipsec-ciph-sha-256-00]" },
+ { AUTH_UNDEFINED, -1, "NONE [RFC4306]" },
+};
+
+/**
+ * Map an IKE proposal
+ */
+static inline void ike_names(proposal_t *proposal, const char **enc,
+ const char **integ)
+{
+ uint16_t alg, len;
+
+ if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
+ {
+ *enc = algo_name(ike_encr, countof(ike_encr), alg, len);
+ }
+ if (encryption_algorithm_is_aead(alg))
+ {
+ alg = AUTH_UNDEFINED;
+ }
+ else if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+ {
+ return;
+ }
+ *integ = algo_name(ike_integ, countof(ike_integ), alg, -1);
+}
+
+/**
+ * Wireshark ESP algorithm identifiers for encryption
+ */
+static algo_map_t esp_encr[] = {
+ { ENCR_NULL, -1, "NULL" },
+ { ENCR_3DES, -1, "TripleDes-CBC [RFC2451]" },
+ { ENCR_AES_CBC, -1, "AES-CBC [RFC3602]" },
+ { ENCR_AES_CTR, -1, "AES-CTR [RFC3686]" },
+ { ENCR_DES, -1, "DES-CBC [RFC2405]" },
+ { ENCR_CAST, -1, "CAST5-CBC [RFC2144]" },
+ { ENCR_BLOWFISH, -1, "BLOWFISH-CBC [RFC2451]" },
+ { ENCR_TWOFISH_CBC, -1, "TWOFISH-CBC" },
+ { ENCR_AES_GCM_ICV8, -1, "AES-GCM [RFC4106]" },
+ { ENCR_AES_GCM_ICV12, -1, "AES-GCM [RFC4106]" },
+ { ENCR_AES_GCM_ICV16, -1, "AES-GCM [RFC4106]" },
+};
+
+/**
+ * Wireshark ESP algorithms for integrity
+ */
+static algo_map_t esp_integ[] = {
+ { AUTH_HMAC_SHA1_96, -1, "HMAC-SHA-1-96 [RFC2404]" },
+ { AUTH_HMAC_MD5_96, -1, "HMAC-MD5-96 [RFC2403]" },
+ { AUTH_HMAC_SHA2_256_128, -1, "HMAC-SHA-256-128 [RFC4868]" },
+ { AUTH_HMAC_SHA2_384_192, -1, "HMAC-SHA-384-192 [RFC4868]" },
+ { AUTH_HMAC_SHA2_512_256, -1, "HMAC-SHA-512-256 [RFC4868]" },
+ { AUTH_HMAC_SHA2_256_96, -1, "HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]" },
+ { AUTH_UNDEFINED, 64, "ANY 64 bit authentication [no checking]" },
+ { AUTH_UNDEFINED, 96, "ANY 96 bit authentication [no checking]" },
+ { AUTH_UNDEFINED, 128, "ANY 128 bit authentication [no checking]" },
+ { AUTH_UNDEFINED, 192, "ANY 192 bit authentication [no checking]" },
+ { AUTH_UNDEFINED, 256, "ANY 256 bit authentication [no checking]" },
+ { AUTH_UNDEFINED, -1, "NULL" },
+};
+
+/**
+ * Map an ESP proposal
+ */
+static inline void esp_names(proposal_t *proposal, const char **enc,
+ const char **integ)
+{
+ uint16_t alg, len;
+
+ if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
+ {
+ *enc = algo_name(esp_encr, countof(esp_encr), alg, len);
+ }
+ len = -1;
+ if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
+ {
+ switch (alg)
+ {
+ case ENCR_AES_GCM_ICV8:
+ len = 64;
+ break;
+ case ENCR_AES_GCM_ICV12:
+ len = 64;
+ break;
+ case ENCR_AES_GCM_ICV16:
+ len = 128;
+ break;
+ }
+ alg = AUTH_UNDEFINED;
+ }
+ *integ = algo_name(esp_integ, countof(esp_integ), alg, len);
+}
+
+METHOD(listener_t, ike_derived_keys, bool,
+ private_save_keys_listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei,
+ chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar)
+{
+ ike_version_t version;
+ ike_sa_id_t *id;
+ const char *enc = NULL, *integ = NULL;
+ char *path, *name;
+ FILE *file;
+
+ if (!this->path || !this->ike)
+ {
+ return TRUE;
+ }
+
+ version = ike_sa->get_version(ike_sa);
+ name = version == IKEV2 ? ikev2_name : ikev1_name;
+ if (asprintf(&path, "%s/%s", this->path, name) < 0)
+ {
+ DBG1(DBG_IKE, "failed to build path to IKE key table");
+ return TRUE;
+ }
+
+ file = fopen(path, "a");
+ if (file)
+ {
+ id = ike_sa->get_id(ike_sa);
+ if (version == IKEV2)
+ {
+ ike_names(ike_sa->get_proposal(ike_sa), &enc, &integ);
+ if (enc && integ)
+ {
+ fprintf(file, "%.16"PRIx64",%.16"PRIx64",%+B,%+B,\"%s\","
+ "%+B,%+B,\"%s\"\n", be64toh(id->get_initiator_spi(id)),
+ be64toh(id->get_responder_spi(id)), &sk_ei, &sk_er,
+ enc, &sk_ai, &sk_ar, integ);
+ }
+ }
+ else
+ {
+ fprintf(file, "%.16"PRIx64",%+B\n",
+ be64toh(id->get_initiator_spi(id)), &sk_ei);
+ }
+ fclose(file);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "failed to open IKE key table '%s': %s", path,
+ strerror(errno));
+ }
+ free(path);
+ return TRUE;
+}
+
+METHOD(listener_t, child_derived_keys, bool,
+ private_save_keys_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ bool initiator, chunk_t encr_i, chunk_t encr_r, chunk_t integ_i,
+ chunk_t integ_r)
+{
+ host_t *init, *resp;
+ uint32_t spi_i, spi_r;
+ const char *enc = NULL, *integ = NULL;
+ char *path, *family;
+ FILE *file;
+
+ if (!this->path || !this->esp ||
+ child_sa->get_protocol(child_sa) != PROTO_ESP)
+ {
+ return TRUE;
+ }
+
+ if (asprintf(&path, "%s/%s", this->path, esp_name) < 0)
+ {
+ DBG1(DBG_CHD, "failed to build path to ESP key table");
+ return TRUE;
+ }
+
+ file = fopen(path, "a");
+ if (file)
+ {
+ esp_names(child_sa->get_proposal(child_sa), &enc, &integ);
+ if (enc && integ)
+ {
+ /* Since the IPs are printed this is not compatible with MOBIKE */
+ if (initiator)
+ {
+ init = ike_sa->get_my_host(ike_sa);
+ resp = ike_sa->get_other_host(ike_sa);
+ }
+ else
+ {
+ init = ike_sa->get_other_host(ike_sa);
+ resp = ike_sa->get_my_host(ike_sa);
+ }
+ spi_i = child_sa->get_spi(child_sa, initiator);
+ spi_r = child_sa->get_spi(child_sa, !initiator);
+ family = init->get_family(init) == AF_INET ? "IPv4" : "IPv6";
+ fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\","
+ "\"%s\",\"0x%+B\"\n", family, init, resp, ntohl(spi_r), enc,
+ &encr_i, integ, &integ_i);
+ fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\","
+ "\"%s\",\"0x%+B\"\n", family, resp, init, ntohl(spi_i), enc,
+ &encr_r, integ, &integ_r);
+ }
+ fclose(file);
+ }
+ else
+ {
+ DBG1(DBG_CHD, "failed to open ESP key table '%s': %s", path,
+ strerror(errno));
+ }
+ free(path);
+ return TRUE;
+}
+
+/**
+ * See header.
+ */
+save_keys_listener_t *save_keys_listener_create()
+{
+ private_save_keys_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .ike_derived_keys = _ike_derived_keys,
+ .child_derived_keys = _child_derived_keys,
+ },
+ .destroy = _destroy,
+ },
+ .path = lib->settings->get_str(lib->settings,
+ "%s.plugins.save-keys.wireshark_keys",
+ NULL, lib->ns),
+ .esp = lib->settings->get_bool(lib->settings,
+ "%s.plugins.save-keys.esp",
+ FALSE, lib->ns),
+ .ike = lib->settings->get_bool(lib->settings,
+ "%s.plugins.save-keys.ike",
+ FALSE, lib->ns),
+ );
+
+ if (this->path && (this->ike || this->esp))
+ {
+ char *keys = "IKE";
+
+ if (this->ike && this->esp)
+ {
+ keys = "IKE AND ESP";
+ }
+ else if (this->esp)
+ {
+ keys = "ESP";
+ }
+ DBG0(DBG_DMN, "!!", keys, this->path);
+ DBG0(DBG_DMN, "!! WARNING: SAVING %s KEYS TO '%s'", keys, this->path);
+ DBG0(DBG_DMN, "!!", keys, this->path);
+ }
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.h b/src/libcharon/plugins/save_keys/save_keys_listener.h
new file mode 100644
index 000000000..c4dc2cf45
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/save_keys_listener.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com)
+ * Copyright (C) 2016 IXIA (http://www.ixiacom.com)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup save_keys_listener save_keys_listener
+ * @{ @ingroup save_keys
+ */
+
+#ifndef SAVE_KEYS_LISTENER_H_
+#define SAVE_KEYS_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct save_keys_listener_t save_keys_listener_t;
+
+/**
+ * Listener saving derived IKE and ESP keys.
+ */
+struct save_keys_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy this instance.
+ */
+ void (*destroy)(save_keys_listener_t *this);
+};
+
+/**
+ * Create a save_keys_listener_t instance.
+ */
+save_keys_listener_t *save_keys_listener_create();
+
+#endif /** SAVE_KEYS_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.c b/src/libcharon/plugins/save_keys/save_keys_plugin.c
new file mode 100644
index 000000000..93db5bcac
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/save_keys_plugin.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com)
+ * Copyright (C) 2016 IXIA (http://www.ixiacom.com)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "save_keys_plugin.h"
+#include "save_keys_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_save_keys_plugin_t private_save_keys_plugin_t;
+
+/**
+ * Private data.
+ */
+struct private_save_keys_plugin_t {
+
+ /**
+ * Implements plugin interface.
+ */
+ save_keys_plugin_t public;
+
+ /**
+ * Listener saving keys to file.
+ */
+ save_keys_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_save_keys_plugin_t *this)
+{
+ return "save-keys";
+}
+
+/**
+ * Register listener.
+ */
+static bool plugin_cb(private_save_keys_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+ }
+ else
+ {
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_save_keys_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "save-keys"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_save_keys_plugin_t *this)
+{
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/**
+ * Plugin constructor.
+ */
+plugin_t *save_keys_plugin_create()
+{
+ private_save_keys_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ .listener = save_keys_listener_create(),
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.h b/src/libcharon/plugins/save_keys/save_keys_plugin.h
new file mode 100644
index 000000000..9501b5479
--- /dev/null
+++ b/src/libcharon/plugins/save_keys/save_keys_plugin.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com)
+ * Copyright (C) 2016 IXIA (http://www.ixiacom.com)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup save_keys save_keys
+ * @ingroup cplugins
+ *
+ * @defgroup save_keys_plugin save_keys_plugin
+ * @{ @ingroup save_keys
+ */
+
+#ifndef SAVE_KEYS_PLUGIN_H_
+#define SAVE_KEYS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct save_keys_plugin_t save_keys_plugin_t;
+
+/**
+ * Plugin that saves derived IKE and ESP keys.
+ */
+struct save_keys_plugin_t {
+
+ /**
+ * Implements plugin interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** SAVE_KEYS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index ac0129210..ca22c7f82 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -519,7 +519,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
enumerator->destroy(enumerator);
}
- /* authentication metod (class, actually) */
+ /* authentication method (class, actually) */
if (strpfx(auth, "ike:") ||
strpfx(auth, "pubkey") ||
strpfx(auth, "rsa") ||
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 9b61afb5c..7fc95657e 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -1131,7 +1131,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
shared_key_t *shared_key;
linked_list_t *owners;
chunk_t secret = chunk_empty;
- bool any = TRUE;
err_t ugh = extract_secret(&secret, &line);
if (ugh != NULL)
@@ -1148,7 +1147,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
while (ids.len > 0)
{
chunk_t id;
- identification_t *peer_id;
ugh = extract_value(&id, &ids);
if (ugh != NULL)
@@ -1165,17 +1163,9 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
/* NULL terminate the ID string */
*(id.ptr + id.len) = '\0';
- peer_id = identification_create_from_string(id.ptr);
- if (peer_id->get_type(peer_id) == ID_ANY)
- {
- peer_id->destroy(peer_id);
- continue;
- }
-
- owners->insert_last(owners, peer_id);
- any = FALSE;
+ owners->insert_last(owners, identification_create_from_string(id.ptr));
}
- if (any)
+ if (!owners->get_count(owners))
{
owners->insert_last(owners,
identification_create_from_encoding(ID_ANY, chunk_empty));
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 22992599d..2bed420be 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -693,7 +693,7 @@ METHOD(stroke_list_t, status, void,
/**
* create a unique certificate list without duplicates
- * certicates having the same issuer are grouped together.
+ * certificates having the same issuer are grouped together.
*/
static linked_list_t* create_unique_cert_list(certificate_type_t type)
{
diff --git a/src/libcharon/plugins/uci/uci_parser.c b/src/libcharon/plugins/uci/uci_parser.c
index e847dd393..283d93928 100644
--- a/src/libcharon/plugins/uci/uci_parser.c
+++ b/src/libcharon/plugins/uci/uci_parser.c
@@ -112,7 +112,7 @@ METHOD(uci_parser_t, create_section_enumerator, enumerator_t*,
va_list args;
int i;
- /* allocate enumerator large enought to hold keyword pointers */
+ /* allocate enumerator large enough to hold keyword pointers */
i = 1;
va_start(args, this);
while (va_arg(args, char*))
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 83521250d..49cce379d 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -530,11 +530,11 @@ on the key identifier derived from the public key).
### load-shared() ###
-Load a shared IKE PSK, EAP or XAuth secret into the daemon.
+Load a shared IKE PSK, EAP, XAuth or NTLM secret into the daemon.
{
id = <optional unique identifier of this shared key>
- type = <shared key type, IKE|EAP|XAUTH>
+ type = <shared key type, IKE|EAP|XAUTH|NTLM>
data = <raw shared key data>
owners = [
<list of shared key owner identities>
@@ -546,8 +546,8 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
### unload-shared() ###
-Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique
-identifier.
+Unload a previously loaded shared IKE PSK, EAP, XAuth or NTLM secret by its
+unique identifier.
{
id = <unique identifier of the shared key to unload>
diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h
index 3ca9de424..d69597881 100644
--- a/src/libcharon/plugins/vici/libvici.h
+++ b/src/libcharon/plugins/vici/libvici.h
@@ -43,7 +43,7 @@
* thread pool.
*
* Connecting requires an uri, which is currently either a UNIX socket path
- * prefixed with unix://, or a hostname:port touple prefixed with tcp://.
+ * prefixed with unix://, or a hostname:port tuple prefixed with tcp://.
* Passing NULL takes the system default socket path.
*
* After the connection has been established, request messages can be sent.
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index ff4e07d2d..6d29988db 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -476,8 +476,8 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-@RUBY_GEMS_INSTALL_FALSE@uninstall-local:
@RUBY_GEMS_INSTALL_FALSE@install-data-local:
+@RUBY_GEMS_INSTALL_FALSE@uninstall-local:
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 5d8bf2f05..ec6c80a5b 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -434,7 +434,7 @@ CALLBACK(load_shared, vici_message_t*,
{
type = SHARED_IKE;
}
- else if (strcaseeq(str, "eap") || streq(str, "xauth"))
+ else if (strcaseeq(str, "eap") || strcaseeq(str, "xauth"))
{
type = SHARED_EAP;
}
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 134ea375d..82c3d7855 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -774,7 +774,7 @@ CALLBACK(list_conns, vici_message_t*,
ike_cfg_t *ike_cfg;
child_cfg_t *child_cfg;
char *ike, *str, *interface;
- uint32_t manual_prio;
+ uint32_t manual_prio, dpd_delay, dpd_timeout;
linked_list_t *list;
traffic_selector_t *ts;
lifetime_cfg_t *lft;
@@ -825,6 +825,18 @@ CALLBACK(list_conns, vici_message_t*,
b->add_kv(b, "unique", "%N", unique_policy_names,
peer_cfg->get_unique_policy(peer_cfg));
+ dpd_delay = peer_cfg->get_dpd(peer_cfg);
+ if (dpd_delay)
+ {
+ b->add_kv(b, "dpd_delay", "%u", dpd_delay);
+ }
+
+ dpd_timeout = peer_cfg->get_dpd_timeout(peer_cfg);
+ if (dpd_timeout)
+ {
+ b->add_kv(b, "dpd_timeout", "%u", dpd_timeout);
+ }
+
build_auth_cfgs(peer_cfg, TRUE, b);
build_auth_cfgs(peer_cfg, FALSE, b);
@@ -843,6 +855,11 @@ CALLBACK(list_conns, vici_message_t*,
b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
free(lft);
+ b->add_kv(b, "dpd_action", "%N", action_names,
+ child_cfg->get_dpd_action(child_cfg));
+ b->add_kv(b, "close_action", "%N", action_names,
+ child_cfg->get_close_action(child_cfg));
+
b->begin_list(b, "local-ts");
list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
selectors = list->create_enumerator(list);
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index b2d5a11f6..b33ea617b 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -27,7 +27,7 @@ typedef struct delete_child_sa_job_t delete_child_sa_job_t;
#include <library.h>
#include <sa/ike_sa_id.h>
#include <processing/jobs/job.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
/**
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index 1de06fd07..1c9d9b400 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -26,7 +26,7 @@ typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
#include <library.h>
#include <sa/ike_sa_id.h>
#include <processing/jobs/job.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
/**
* Class representing an REKEY_CHILD_SA Job.
@@ -50,4 +50,5 @@ struct rekey_child_sa_job_t {
*/
rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
uint32_t spi, host_t *dst);
+
#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index ed978dc8b..17beb68b6 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -26,7 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t;
#include <library.h>
#include <networking/host.h>
#include <processing/jobs/job.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
/**
* Update the addresses of an IKE and its CHILD_SAs.
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 91da4d3e6..a01ee9e4d 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2017 Tobias Brunner
+ * Copyright (C) 2006-2018 Tobias Brunner
* Copyright (C) 2016 Andreas Steffen
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
@@ -1249,17 +1249,6 @@ METHOD(child_sa_t, install_policies, status_t,
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- /* install outbound drop policy to avoid packets leaving unencrypted
- * when updating policies */
- if (priority == POLICY_PRIORITY_DEFAULT && manual_prio == 0 &&
- require_policy_update() && install_outbound)
- {
- status |= install_policies_outbound(this, this->my_addr,
- this->other_addr, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_FALLBACK, 0);
- }
-
status |= install_policies_inbound(this, this->my_addr,
this->other_addr, my_ts, other_ts,
&my_sa, &other_sa, POLICY_IPSEC,
@@ -1350,15 +1339,6 @@ METHOD(child_sa_t, install_outbound, status_t,
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- /* install outbound drop policy to avoid packets leaving unencrypted
- * when updating policies */
- if (manual_prio == 0 && require_policy_update())
- {
- status |= install_policies_outbound(this, this->my_addr,
- this->other_addr, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_FALLBACK, 0);
- }
status |= install_policies_outbound(this, this->my_addr,
this->other_addr, my_ts, other_ts,
&my_sa, &other_sa, POLICY_IPSEC,
@@ -1407,12 +1387,6 @@ METHOD(child_sa_t, remove_outbound, void,
my_ts, other_ts, &my_sa, &other_sa,
POLICY_IPSEC, POLICY_PRIORITY_DEFAULT,
manual_prio);
- if (manual_prio == 0 && require_policy_update())
- {
- del_policies_outbound(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa,
- POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0);
- }
}
enumerator->destroy(enumerator);
}
@@ -1458,8 +1432,65 @@ CALLBACK(reinstall_vip, void,
}
}
+/**
+ * Update addresses and encap state of IPsec SAs in the kernel
+ */
+static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other,
+ bool encap)
+{
+ /* update our (initiator) SA */
+ if (this->my_spi)
+ {
+ kernel_ipsec_sa_id_t id = {
+ .src = this->other_addr,
+ .dst = this->my_addr,
+ .spi = this->my_spi,
+ .proto = proto_ike2ip(this->protocol),
+ .mark = mark_in_sa(this),
+ };
+ kernel_ipsec_update_sa_t sa = {
+ .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
+ .new_src = other,
+ .new_dst = me,
+ .encap = this->encap,
+ .new_encap = encap,
+ };
+ if (charon->kernel->update_sa(charon->kernel, &id,
+ &sa) == NOT_SUPPORTED)
+ {
+ return NOT_SUPPORTED;
+ }
+ }
+
+ /* update his (responder) SA */
+ if (this->other_spi)
+ {
+ kernel_ipsec_sa_id_t id = {
+ .src = this->my_addr,
+ .dst = this->other_addr,
+ .spi = this->other_spi,
+ .proto = proto_ike2ip(this->protocol),
+ .mark = this->mark_out,
+ };
+ kernel_ipsec_update_sa_t sa = {
+ .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
+ .new_src = me,
+ .new_dst = other,
+ .encap = this->encap,
+ .new_encap = encap,
+ };
+ if (charon->kernel->update_sa(charon->kernel, &id,
+ &sa) == NOT_SUPPORTED)
+ {
+ return NOT_SUPPORTED;
+ }
+ }
+ /* we currently ignore the actual return values above */
+ return SUCCESS;
+}
+
METHOD(child_sa_t, update, status_t,
- private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips,
+ private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips,
bool encap)
{
child_sa_state_t old;
@@ -1478,84 +1509,50 @@ METHOD(child_sa_t, update, status_t,
this->config->has_option(this->config,
OPT_PROXY_MODE);
- if (!transport_proxy_mode)
+ if (!this->config->has_option(this->config, OPT_NO_POLICIES) &&
+ require_policy_update())
{
- /* update our (initiator) SA */
- if (this->my_spi)
- {
- kernel_ipsec_sa_id_t id = {
- .src = this->other_addr,
- .dst = this->my_addr,
- .spi = this->my_spi,
- .proto = proto_ike2ip(this->protocol),
- .mark = mark_in_sa(this),
- };
- kernel_ipsec_update_sa_t sa = {
- .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
- .new_src = other,
- .new_dst = me,
- .encap = this->encap,
- .new_encap = encap,
- };
- if (charon->kernel->update_sa(charon->kernel, &id,
- &sa) == NOT_SUPPORTED)
- {
- set_state(this, old);
- return NOT_SUPPORTED;
- }
- }
+ ipsec_sa_cfg_t my_sa, other_sa;
+ enumerator_t *enumerator;
+ traffic_selector_t *my_ts, *other_ts;
+ uint32_t manual_prio;
+ status_t state;
+
+ prepare_sa_cfg(this, &my_sa, &other_sa);
+ manual_prio = this->config->get_manual_prio(this->config);
- /* update his (responder) SA */
- if (this->other_spi)
+ enumerator = create_policy_enumerator(this);
+ while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- kernel_ipsec_sa_id_t id = {
- .src = this->my_addr,
- .dst = this->other_addr,
- .spi = this->other_spi,
- .proto = proto_ike2ip(this->protocol),
- .mark = this->mark_out,
- };
- kernel_ipsec_update_sa_t sa = {
- .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
- .new_src = me,
- .new_dst = other,
- .encap = this->encap,
- .new_encap = encap,
- };
- if (charon->kernel->update_sa(charon->kernel, &id,
- &sa) == NOT_SUPPORTED)
- {
- set_state(this, old);
- return NOT_SUPPORTED;
- }
+ /* install drop policy to avoid traffic leaks, acquires etc. */
+ install_policies_outbound(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_DEFAULT, manual_prio);
+
+ /* remove old policies */
+ del_policies_internal(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
+ POLICY_PRIORITY_DEFAULT, manual_prio);
}
- }
+ enumerator->destroy(enumerator);
- if (!this->config->has_option(this->config, OPT_NO_POLICIES) &&
- require_policy_update())
- {
- if (!me->ip_equals(me, this->my_addr) ||
- !other->ip_equals(other, this->other_addr))
- {
- ipsec_sa_cfg_t my_sa, other_sa;
- enumerator_t *enumerator;
- traffic_selector_t *my_ts, *other_ts;
- uint32_t manual_prio;
+ /* update the IPsec SAs */
+ state = update_sas(this, me, other, encap);
- prepare_sa_cfg(this, &my_sa, &other_sa);
- manual_prio = this->config->get_manual_prio(this->config);
+ enumerator = create_policy_enumerator(this);
+ while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+ {
+ traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
- /* always use high priorities, as hosts getting updated are INSTALLED */
- enumerator = create_policy_enumerator(this);
- while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+ /* reinstall the previous policies if we can't update the SAs */
+ if (state == NOT_SUPPORTED)
+ {
+ install_policies_internal(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa,
+ POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio);
+ }
+ else
{
- traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
-
- /* remove old policies first */
- del_policies_internal(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
- POLICY_PRIORITY_DEFAULT, manual_prio);
-
/* check if we have to update a "dynamic" traffic selector */
if (!me->ip_equals(me, this->my_addr) &&
my_ts->is_host(my_ts, this->my_addr))
@@ -1578,23 +1575,32 @@ METHOD(child_sa_t, update, status_t,
install_policies_internal(this, me, other, my_ts, other_ts,
&my_sa, &other_sa, POLICY_IPSEC,
POLICY_PRIORITY_DEFAULT, manual_prio);
-
- /* update fallback policies after the new policy is in place */
- if (manual_prio == 0)
- {
- del_policies_outbound(this, this->my_addr, this->other_addr,
- old_my_ts ?: my_ts,
- old_other_ts ?: other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_FALLBACK, 0);
- install_policies_outbound(this, me, other, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_FALLBACK, 0);
- }
- DESTROY_IF(old_my_ts);
- DESTROY_IF(old_other_ts);
}
- enumerator->destroy(enumerator);
+ /* remove the drop policy */
+ del_policies_outbound(this, this->my_addr, this->other_addr,
+ old_my_ts ?: my_ts,
+ old_other_ts ?: other_ts,
+ &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_DEFAULT, 0);
+
+ DESTROY_IF(old_my_ts);
+ DESTROY_IF(old_other_ts);
+ }
+ enumerator->destroy(enumerator);
+
+ if (state == NOT_SUPPORTED)
+ {
+ set_state(this, old);
+ return NOT_SUPPORTED;
+ }
+
+ }
+ else if (!transport_proxy_mode)
+ {
+ if (update_sas(this, me, other, encap) == NOT_SUPPORTED)
+ {
+ set_state(this, old);
+ return NOT_SUPPORTED;
}
}
@@ -1655,13 +1661,6 @@ METHOD(child_sa_t, destroy, void,
del_policies_inbound(this, this->my_addr, this->other_addr,
my_ts, other_ts, &my_sa, &other_sa,
POLICY_IPSEC, priority, manual_prio);
- if (!this->trap && manual_prio == 0 && require_policy_update() &&
- del_outbound)
- {
- del_policies_outbound(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa,
- POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0);
- }
}
enumerator->destroy(enumerator);
}
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 082404d93..49175ca01 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -30,7 +30,7 @@ typedef struct child_sa_t child_sa_t;
#include <library.h>
#include <crypto/prf_plus.h>
#include <encoding/payloads/proposal_substructure.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <config/child_cfg.h>
/**
@@ -145,7 +145,7 @@ extern enum_name_t *child_sa_outbound_state_names;
* - B allocates an SPI for the selected protocol
* - B calls child_sa_t.install for both, the allocated and received SPI
* - B sends the proposal with the allocated SPI to A
- * - A calls child_sa_t.install for both, the allocated and recevied SPI
+ * - A calls child_sa_t.install for both, the allocated and received SPI
*
* Once SAs are set up, policies can be added using add_policies.
*/
@@ -254,7 +254,7 @@ struct child_sa_t {
/**
* Set the negotiated IPsec mode to use.
*
- * @param mode TUNNEL | TRANPORT | BEET
+ * @param mode TUNNEL | TRANSPORT | BEET
*/
void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h
index 4ed1cae20..391c906e9 100644
--- a/src/libcharon/sa/eap/eap_manager.h
+++ b/src/libcharon/sa/eap/eap_manager.h
@@ -30,7 +30,7 @@ typedef struct eap_manager_t eap_manager_t;
* The EAP manager manages all EAP implementations and creates instances.
*
* A plugin registers it's implemented EAP method at the manager by
- * providing type and a contructor function. The manager then instanciates
+ * providing type and a constructor function. The manager then instantiates
* eap_method_t instances through the provided constructor to handle
* EAP authentication.
*/
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 8e25f7df8..840779727 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -64,7 +64,7 @@ struct eap_method_t {
/**
* Initiate the EAP exchange.
*
- * initiate() is only useable for server implementations, as clients only
+ * initiate() is only usable for server implementations, as clients only
* reply to server requests.
* A eap_payload is created in "out" if result is NEED_MORE.
*
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 823cf2579..e1f4ec95a 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -232,11 +232,6 @@ struct private_ike_sa_t {
chunk_t nat_detection_dest;
/**
- * number pending UPDATE_SA_ADDRESS (MOBIKE)
- */
- uint32_t pending_updates;
-
- /**
* NAT keep alive interval
*/
uint32_t keepalive_interval;
@@ -734,8 +729,11 @@ METHOD(ike_sa_t, set_condition, void,
switch (condition)
{
case COND_NAT_HERE:
- case COND_NAT_FAKE:
case COND_NAT_THERE:
+ DBG1(DBG_IKE, "%s host is not behind NAT anymore",
+ condition == COND_NAT_HERE ? "local" : "remote");
+ /* fall-through */
+ case COND_NAT_FAKE:
set_condition(this, COND_NAT_ANY,
has_condition(this, COND_NAT_HERE) ||
has_condition(this, COND_NAT_THERE) ||
@@ -1052,18 +1050,6 @@ METHOD(ike_sa_t, has_mapping_changed, bool,
return TRUE;
}
-METHOD(ike_sa_t, set_pending_updates, void,
- private_ike_sa_t *this, uint32_t updates)
-{
- this->pending_updates = updates;
-}
-
-METHOD(ike_sa_t, get_pending_updates, uint32_t,
- private_ike_sa_t *this)
-{
- return this->pending_updates;
-}
-
METHOD(ike_sa_t, float_ports, void,
private_ike_sa_t *this)
{
@@ -2561,6 +2547,12 @@ METHOD(ike_sa_t, roam, status_t,
break;
}
+ if (!this->ike_cfg)
+ { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
+ * without config assigned */
+ return SUCCESS;
+ }
+
/* ignore roam events if MOBIKE is not supported/enabled and the local
* address is statically configured */
if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) &&
@@ -2964,8 +2956,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
.supports_extension = _supports_extension,
.set_condition = _set_condition,
.has_condition = _has_condition,
- .set_pending_updates = _set_pending_updates,
- .get_pending_updates = _get_pending_updates,
.create_peer_address_enumerator = _create_peer_address_enumerator,
.add_peer_address = _add_peer_address,
.clear_peer_addresses = _clear_peer_addresses,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index fbc367292..b4fbc56d7 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -646,20 +646,6 @@ struct ike_sa_t {
*/
bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
- /**
- * Get the number of queued MOBIKE address updates.
- *
- * @return number of pending updates
- */
- uint32_t (*get_pending_updates)(ike_sa_t *this);
-
- /**
- * Set the number of queued MOBIKE address updates.
- *
- * @param updates number of pending updates
- */
- void (*set_pending_updates)(ike_sa_t *this, uint32_t updates);
-
#ifdef ME
/**
* Activate mediation server functionality for this IKE_SA.
@@ -869,7 +855,7 @@ struct ike_sa_t {
* @param message_id ID of the request to retransmit
* @return
* - SUCCESS
- * - NOT_FOUND if request doesn't have to be retransmited
+ * - NOT_FOUND if request doesn't have to be retransmitted
*/
status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
@@ -1169,7 +1155,7 @@ struct ike_sa_t {
void (*inherit_post) (ike_sa_t *this, ike_sa_t *other);
/**
- * Reset the IKE_SA, useable when initiating fails.
+ * Reset the IKE_SA, usable when initiating fails.
*
* @param new_spi TRUE to allocate a new initiator SPI
*/
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index adce59f7e..5856f829e 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012-2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
@@ -102,6 +102,31 @@ static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
}
/**
+ * Find a shared key for the given identities
+ */
+static shared_key_t *find_shared_key(identification_t *my_id, host_t *me,
+ identification_t *other_id, host_t *other)
+{
+ identification_t *any_id = NULL;
+ shared_key_t *shared_key;
+
+ if (!other_id)
+ {
+ any_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ other_id = any_id;
+ }
+ shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+ my_id, other_id);
+ if (!shared_key)
+ {
+ DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
+ my_id, me, other_id, other);
+ }
+ DESTROY_IF(any_id);
+ return shared_key;
+}
+
+/**
* Lookup a shared secret for this IKE_SA
*/
static shared_key_t *lookup_shared_key(private_phase1_t *this,
@@ -131,15 +156,9 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
{
other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
}
- if (my_id && other_id)
+ if (my_id)
{
- shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
- my_id, other_id);
- if (!shared_key)
- {
- DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
- my_id, me, other_id, other);
- }
+ shared_key = find_shared_key(my_id, me, other_id, other);
}
}
}
@@ -158,14 +177,11 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
if (my_id)
{
- shared_key = lib->credmgr->get_shared(lib->credmgr,
- SHARED_IKE, my_id, other_id);
+ shared_key = find_shared_key(my_id, me, other_id, other);
if (shared_key)
{
break;
}
- DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
- my_id, me, other_id, other);
}
}
}
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index 7098d24a2..43897c304 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -547,7 +547,7 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
type, value));
}
enumerator->destroy(enumerator);
- /* if a client did not re-request all adresses, release them */
+ /* if a client did not re-request all addresses, release them */
enumerator = migrated->create_enumerator(migrated);
while (enumerator->enumerate(enumerator, &found))
{
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 49b476ad8..77592e59a 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1330,7 +1330,7 @@ METHOD(task_t, process_i, status_t,
&this->cpi_r);
if (!list->get_count(list))
{
- DBG1(DBG_IKE, "peer did not acccept our IPComp proposal, "
+ DBG1(DBG_IKE, "peer did not accept our IPComp proposal, "
"IPComp disabled");
this->cpi_i = 0;
}
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 361eb0fe1..5c0ec49f0 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2018 Tobias Brunner
* Copyright (C) 2007-2010 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -737,7 +737,7 @@ static status_t process_response(private_task_manager_t *this,
charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
}
- /* catch if we get resetted while processing */
+ /* catch if we get reset while processing */
this->reset = FALSE;
enumerator = array_create_enumerator(this->active_tasks);
while (enumerator->enumerate(enumerator, &task))
@@ -1642,24 +1642,9 @@ METHOD(task_manager_t, process_message, status_t,
METHOD(task_manager_t, queue_task_delayed, void,
private_task_manager_t *this, task_t *task, uint32_t delay)
{
- enumerator_t *enumerator;
queued_task_t *queued;
timeval_t time;
- if (task->get_type(task) == TASK_IKE_MOBIKE)
- { /* there is no need to queue more than one mobike task */
- enumerator = array_create_enumerator(this->queued_tasks);
- while (enumerator->enumerate(enumerator, &queued))
- {
- if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
- {
- enumerator->destroy(enumerator);
- task->destroy(task);
- return;
- }
- }
- enumerator->destroy(enumerator);
- }
time_monotonic(&time);
if (delay)
{
@@ -1877,12 +1862,41 @@ METHOD(task_manager_t, queue_ike_delete, void,
queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
}
+/**
+ * There is no need to queue more than one mobike task, so this either returns
+ * an already queued task or queues one if there is none yet.
+ */
+static ike_mobike_t *queue_mobike_task(private_task_manager_t *this)
+{
+ enumerator_t *enumerator;
+ queued_task_t *queued;
+ ike_mobike_t *mobike = NULL;
+
+ enumerator = array_create_enumerator(this->queued_tasks);
+ while (enumerator->enumerate(enumerator, &queued))
+ {
+ if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
+ {
+ mobike = (ike_mobike_t*)queued->task;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!mobike)
+ {
+ mobike = ike_mobike_create(this->ike_sa, TRUE);
+ queue_task(this, &mobike->task);
+ }
+ return mobike;
+}
+
METHOD(task_manager_t, queue_mobike, void,
private_task_manager_t *this, bool roam, bool address)
{
ike_mobike_t *mobike;
- mobike = ike_mobike_create(this->ike_sa, TRUE);
+ mobike = queue_mobike_task(this);
if (roam)
{
enumerator_t *enumerator;
@@ -1909,7 +1923,31 @@ METHOD(task_manager_t, queue_mobike, void,
{
mobike->addresses(mobike);
}
- queue_task(this, &mobike->task);
+}
+
+METHOD(task_manager_t, queue_dpd, void,
+ private_task_manager_t *this)
+{
+ ike_mobike_t *mobike;
+
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
+ {
+#ifdef ME
+ peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (cfg->get_peer_id(cfg) ||
+ this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
+#else
+ if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
+#endif
+ {
+ /* use mobike enabled DPD to detect NAT mapping changes */
+ mobike = queue_mobike_task(this);
+ mobike->dpd(mobike);
+ return;
+ }
+ }
+ queue_task(this, (task_t*)ike_dpd_create(TRUE));
}
METHOD(task_manager_t, queue_child, void,
@@ -1940,32 +1978,6 @@ METHOD(task_manager_t, queue_child_delete, void,
protocol, spi, expired));
}
-METHOD(task_manager_t, queue_dpd, void,
- private_task_manager_t *this)
-{
- ike_mobike_t *mobike;
-
- if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
- this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
- {
-#ifdef ME
- peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (cfg->get_peer_id(cfg) ||
- this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
-#else
- if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
-#endif
- {
- /* use mobike enabled DPD to detect NAT mapping changes */
- mobike = ike_mobike_create(this->ike_sa, TRUE);
- mobike->dpd(mobike);
- queue_task(this, &mobike->task);
- return;
- }
- }
- queue_task(this, (task_t*)ike_dpd_create(TRUE));
-}
-
METHOD(task_manager_t, adopt_tasks, void,
private_task_manager_t *this, task_manager_t *other_public)
{
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 4d4d72e0b..85dac6d59 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -277,12 +277,13 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
}
/**
- * Allocate SPIs and update proposals
+ * Allocate SPIs and update proposals, we also promote the selected DH group
*/
static bool allocate_spi(private_child_create_t *this)
{
enumerator_t *enumerator;
proposal_t *proposal;
+ linked_list_t *other_dh_groups;
if (this->initiator)
{
@@ -304,12 +305,29 @@ static bool allocate_spi(private_child_create_t *this)
{
if (this->initiator)
{
+ other_dh_groups = linked_list_create();
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, &proposal))
{
proposal->set_spi(proposal, this->my_spi);
+
+ /* move the selected DH group to the front, if any */
+ if (this->dh_group != MODP_NONE &&
+ !proposal->promote_dh_group(proposal, this->dh_group))
+ { /* proposals that don't contain the selected group are
+ * moved to the back */
+ this->proposals->remove_at(this->proposals, enumerator);
+ other_dh_groups->insert_last(other_dh_groups, proposal);
+ }
+ }
+ enumerator->destroy(enumerator);
+ enumerator = other_dh_groups->create_enumerator(other_dh_groups);
+ while (enumerator->enumerate(enumerator, (void**)&proposal))
+ { /* no need to remove from the list as we destroy it anyway*/
+ this->proposals->insert_last(this->proposals, proposal);
}
enumerator->destroy(enumerator);
+ other_dh_groups->destroy(other_dh_groups);
}
else
{
@@ -396,7 +414,7 @@ static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
}
/**
- * Substitude any host address with NATed address in traffic selector
+ * Substitute any host address with NATed address in traffic selector
*/
static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
bool local, linked_list_t *in)
@@ -1006,8 +1024,8 @@ METHOD(task_t, build_i, status_t,
chunk_empty);
return SUCCESS;
}
- if (!this->retry)
- {
+ if (!this->retry && this->dh_group == MODP_NONE)
+ { /* during a rekeying the group might already be set */
this->dh_group = this->config->get_dh_group(this->config);
}
break;
@@ -1615,6 +1633,12 @@ METHOD(child_create_t, use_marks, void,
this->mark_out = out;
}
+METHOD(child_create_t, use_dh_group, void,
+ private_child_create_t *this, diffie_hellman_group_t dh_group)
+{
+ this->dh_group = dh_group;
+}
+
METHOD(child_create_t, get_child, child_sa_t*,
private_child_create_t *this)
{
@@ -1736,6 +1760,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
.get_lower_nonce = _get_lower_nonce,
.use_reqid = _use_reqid,
.use_marks = _use_marks,
+ .use_dh_group = _use_dh_group,
.task = {
.get_type = _get_type,
.migrate = _migrate,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index f48d7b0a9..59fc6d2d9 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -1,6 +1,7 @@
/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -60,6 +61,15 @@ struct child_create_t {
void (*use_marks)(child_create_t *this, u_int in, u_int out);
/**
+ * Initially propose a specific DH group to override configuration.
+ *
+ * This is used during rekeying to prefer the previously negotiated group.
+ *
+ * @param dh_group DH group to use
+ */
+ void (*use_dh_group)(child_create_t *this, diffie_hellman_group_t dh_group);
+
+ /**
* Get the lower of the two nonces, used for rekey collisions.
*
* @return lower nonce
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index b67e9b80f..f90056658 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2017 Tobias Brunner
+ * Copyright (C) 2009-2018 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -190,8 +190,18 @@ METHOD(task_t, build_i, status_t,
/* our CHILD_CREATE task does the hard work for us */
if (!this->child_create)
{
+ proposal_t *proposal;
+ uint16_t dh_group;
+
this->child_create = child_create_create(this->ike_sa,
config->get_ref(config), TRUE, NULL, NULL);
+
+ proposal = this->child_sa->get_proposal(this->child_sa);
+ if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+ &dh_group, NULL))
+ { /* reuse the DH group negotiated previously */
+ this->child_create->use_dh_group(this->child_create, dh_group);
+ }
}
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index d75d21715..3d73d728b 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -282,7 +282,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
sa_payload_t *sa_payload;
ke_payload_t *ke_payload;
nonce_payload_t *nonce_payload;
- linked_list_t *proposal_list;
+ linked_list_t *proposal_list, *other_dh_groups;
ike_sa_id_t *id;
proposal_t *proposal;
enumerator_t *enumerator;
@@ -294,16 +294,31 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
if (this->initiator)
{
proposal_list = this->config->get_proposals(this->config);
- if (this->old_sa)
+ other_dh_groups = linked_list_create();
+ enumerator = proposal_list->create_enumerator(proposal_list);
+ while (enumerator->enumerate(enumerator, (void**)&proposal))
{
/* include SPI of new IKE_SA when we are rekeying */
- enumerator = proposal_list->create_enumerator(proposal_list);
- while (enumerator->enumerate(enumerator, (void**)&proposal))
+ if (this->old_sa)
{
proposal->set_spi(proposal, id->get_initiator_spi(id));
}
- enumerator->destroy(enumerator);
+ /* move the selected DH group to the front of the proposal */
+ if (!proposal->promote_dh_group(proposal, this->dh_group))
+ { /* the proposal does not include the group, move to the back */
+ proposal_list->remove_at(proposal_list, enumerator);
+ other_dh_groups->insert_last(other_dh_groups, proposal);
+ }
}
+ enumerator->destroy(enumerator);
+ /* add proposals that don't contain the selected group */
+ enumerator = other_dh_groups->create_enumerator(other_dh_groups);
+ while (enumerator->enumerate(enumerator, (void**)&proposal))
+ { /* no need to remove from the list as we destroy it anyway*/
+ proposal_list->insert_last(proposal_list, proposal);
+ }
+ enumerator->destroy(enumerator);
+ other_dh_groups->destroy(other_dh_groups);
sa_payload = sa_payload_create_from_proposals_v2(proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
@@ -531,10 +546,30 @@ METHOD(task_t, build_i, status_t,
return FAILED;
}
- /* if the DH group is set via use_dh_group(), we already have a DH object */
+ /* if we are retrying after an INVALID_KE_PAYLOAD we already have one */
if (!this->dh)
{
- this->dh_group = this->config->get_dh_group(this->config);
+ if (this->old_sa && lib->settings->get_bool(lib->settings,
+ "%s.prefer_previous_dh_group", TRUE, lib->ns))
+ { /* reuse the DH group we used for the old IKE_SA when rekeying */
+ proposal_t *proposal;
+ uint16_t dh_group;
+
+ proposal = this->old_sa->get_proposal(this->old_sa);
+ if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+ &dh_group, NULL))
+ {
+ this->dh_group = dh_group;
+ }
+ else
+ { /* this shouldn't happen, but let's be safe */
+ this->dh_group = this->config->get_dh_group(this->config);
+ }
+ }
+ else
+ {
+ this->dh_group = this->config->get_dh_group(this->config);
+ }
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
this->dh_group);
if (!this->dh)
@@ -544,6 +579,18 @@ METHOD(task_t, build_i, status_t,
return FAILED;
}
}
+ else if (this->dh->get_dh_group(this->dh) != this->dh_group)
+ { /* reset DH instance if group changed (INVALID_KE_PAYLOAD) */
+ this->dh->destroy(this->dh);
+ this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+ this->dh_group);
+ if (!this->dh)
+ {
+ DBG1(DBG_IKE, "requested DH group %N not supported",
+ diffie_hellman_group_names, this->dh_group);
+ return FAILED;
+ }
+ }
/* generate nonce only when we are trying the first time */
if (this->my_nonce.ptr == NULL)
@@ -929,12 +976,6 @@ METHOD(task_t, migrate, void,
this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
this->proposal = NULL;
this->dh_failed = FALSE;
- if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
- { /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
- this->dh->destroy(this->dh);
- this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
- this->dh_group);
- }
}
METHOD(task_t, destroy, void,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index dc0f24fb8..fe41a1cac 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2010-2014 Tobias Brunner
+ * Copyright (C) 2010-2018 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -76,14 +76,36 @@ struct private_ike_mobike_t {
* additional addresses got updated
*/
bool addresses_updated;
-
- /**
- * whether the pending updates counter was increased
- */
- bool pending_update;
};
/**
+ * Check if a newer MOBIKE update task is queued
+ */
+static bool is_newer_update_queued(private_ike_mobike_t *this)
+{
+ enumerator_t *enumerator;
+ private_ike_mobike_t *mobike;
+ task_t *task;
+ bool found = FALSE;
+
+ enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+ TASK_QUEUE_QUEUED);
+ while (enumerator->enumerate(enumerator, &task))
+ {
+ if (task->get_type(task) == TASK_IKE_MOBIKE)
+ {
+ mobike = (private_ike_mobike_t*)task;
+ /* a queued check or update might invalidate the results of the
+ * current task */
+ found = mobike->check || mobike->update;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found;
+}
+
+/**
* read notifys from message and evaluate them
*/
static void process_payloads(private_ike_mobike_t *this, message_t *message)
@@ -526,9 +548,8 @@ METHOD(task_t, process_i, status_t,
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
- if (this->ike_sa->get_pending_updates(this->ike_sa) > 1)
+ if (is_newer_update_queued(this))
{
- /* newer update queued, ignore this one */
return SUCCESS;
}
if (this->cookie2.ptr)
@@ -553,7 +574,7 @@ METHOD(task_t, process_i, status_t,
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
- if (this->natd->has_mapping_changed(this->natd))
+ if (!this->update && this->natd->has_mapping_changed(this->natd))
{
/* force an update if mappings have changed */
this->update = this->check = TRUE;
@@ -615,25 +636,13 @@ METHOD(ike_mobike_t, addresses, void,
private_ike_mobike_t *this)
{
this->address = TRUE;
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(ike_mobike_t, roam, void,
private_ike_mobike_t *this, bool address)
{
this->check = TRUE;
- this->address = address;
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
+ this->address |= address;
}
METHOD(ike_mobike_t, dpd, void,
@@ -643,12 +652,6 @@ METHOD(ike_mobike_t, dpd, void,
{
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(ike_mobike_t, is_probing, bool,
@@ -678,21 +681,11 @@ METHOD(task_t, migrate, void,
{
this->natd->task.migrate(&this->natd->task, ike_sa);
}
- if (this->pending_update)
- {
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(task_t, destroy, void,
private_ike_mobike_t *this)
{
- if (this->pending_update)
- {
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) - 1);
- }
chunk_free(&this->cookie2);
if (this->natd)
{
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index bc40b3d92..17d2efe37 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -27,7 +27,7 @@ typedef struct keymat_t keymat_t;
#include <utils/identification.h>
#include <crypto/prfs/prf.h>
#include <crypto/aead.h>
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
#include <config/peer_cfg.h>
#include <sa/ike_sa_id.h>
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index e3fddf39b..9545da4f3 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -86,7 +86,7 @@ enum task_queue_t {
* completed.
* For the initial IKE_SA setup, several tasks are queued: One for the
* unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
- * and maybe one for virtual IP assignement.
+ * and maybe one for virtual IP assignment.
* The task manager is also responsible for retransmission. It uses a backoff
* algorithm. The timeout is calculated using
* RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
diff --git a/src/libcharon/sa/xauth/xauth_manager.h b/src/libcharon/sa/xauth/xauth_manager.h
index 65b3c58a3..513bf32f5 100644
--- a/src/libcharon/sa/xauth/xauth_manager.h
+++ b/src/libcharon/sa/xauth/xauth_manager.h
@@ -29,7 +29,7 @@ typedef struct xauth_manager_t xauth_manager_t;
* The XAuth manager manages all XAuth implementations and creates instances.
*
* A plugin registers it's implemented XAuth method at the manager by
- * providing type and a contructor function. The manager then instanciates
+ * providing type and a constructor function. The manager then instantiates
* xauth_method_t instances through the provided constructor to handle
* XAuth authentication.
*/
diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h
index 701b4dc77..c0c2024e0 100644
--- a/src/libcharon/sa/xauth/xauth_method.h
+++ b/src/libcharon/sa/xauth/xauth_method.h
@@ -54,7 +54,7 @@ struct xauth_method_t {
/**
* Initiate the XAuth exchange.
*
- * initiate() is only useable for server implementations, as clients only
+ * initiate() is only usable for server implementations, as clients only
* reply to server requests.
* A cp_payload is created in "out" if result is NEED_MORE.
*
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index 8f762a2e6..5ebd0456c 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -3,7 +3,6 @@ TESTS = libcharon_tests exchange_tests
check_PROGRAMS = $(TESTS)
libcharon_tests_SOURCES = \
- suites/test_proposal.c \
suites/test_ike_cfg.c \
suites/test_mem_pool.c \
suites/test_message_chapoly.c \
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 66d2431c9..24552d201 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -138,7 +138,6 @@ exchange_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(exchange_tests_CFLAGS) $(CFLAGS) $(exchange_tests_LDFLAGS) \
$(LDFLAGS) -o $@
am_libcharon_tests_OBJECTS = \
- suites/libcharon_tests-test_proposal.$(OBJEXT) \
suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \
suites/libcharon_tests-test_mem_pool.$(OBJEXT) \
suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \
@@ -475,7 +474,6 @@ urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
libcharon_tests_SOURCES = \
- suites/test_proposal.c \
suites/test_ike_cfg.c \
suites/test_mem_pool.c \
suites/test_message_chapoly.c \
@@ -608,8 +606,6 @@ utils/exchange_tests-mock_sender.$(OBJEXT): utils/$(am__dirstamp) \
exchange_tests$(EXEEXT): $(exchange_tests_OBJECTS) $(exchange_tests_DEPENDENCIES) $(EXTRA_exchange_tests_DEPENDENCIES)
@rm -f exchange_tests$(EXEEXT)
$(AM_V_CCLD)$(exchange_tests_LINK) $(exchange_tests_OBJECTS) $(exchange_tests_LDADD) $(LIBS)
-suites/libcharon_tests-test_proposal.$(OBJEXT): \
- suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/libcharon_tests-test_mem_pool.$(OBJEXT): \
@@ -640,7 +636,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_proposal.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_dh.Po@am__quote@
@@ -854,20 +849,6 @@ exchange_tests-exchange_tests.obj: exchange_tests.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o exchange_tests-exchange_tests.obj `if test -f 'exchange_tests.c'; then $(CYGPATH_W) 'exchange_tests.c'; else $(CYGPATH_W) '$(srcdir)/exchange_tests.c'; fi`
-suites/libcharon_tests-test_proposal.o: suites/test_proposal.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
-
-suites/libcharon_tests-test_proposal.obj: suites/test_proposal.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
-
suites/libcharon_tests-test_ike_cfg.o: suites/test_ike_cfg.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po
diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h
index f770f464d..d17ea041d 100644
--- a/src/libcharon/tests/libcharon_tests.h
+++ b/src/libcharon/tests/libcharon_tests.h
@@ -24,7 +24,6 @@
* @ingroup libcharon-tests
*/
-TEST_SUITE(proposal_suite_create)
TEST_SUITE(ike_cfg_suite_create)
TEST_SUITE(mem_pool_suite_create)
TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32)
diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c
index ac169723f..44d004ab7 100644
--- a/src/libcharon/tests/suites/test_child_rekey.c
+++ b/src/libcharon/tests/suites/test_child_rekey.c
@@ -231,6 +231,61 @@ START_TEST(test_regular_ke_invalid)
/* child_updown */
assert_hook();
+ /* because the DH group should get reused another rekeying should complete
+ * without additional exchange */
+ initiate_rekey(a, 5);
+ /* this should never get called as this results in a successful rekeying */
+ assert_hook_not_called(child_updown);
+
+ /* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */
+ assert_hook_called(child_rekey);
+ assert_notify(IN, REKEY_SA);
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ assert_child_sa_state(b, 6, CHILD_REKEYED, CHILD_OUTBOUND_INSTALLED);
+ assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED);
+ assert_ipsec_sas_installed(b, 5, 6, 8);
+ assert_hook();
+
+ /* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */
+ assert_hook_called(child_rekey);
+ assert_no_notify(IN, REKEY_SA);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED);
+ assert_child_sa_state(a, 7, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+ assert_ipsec_sas_installed(a, 5, 6, 7, 8);
+ assert_hook();
+
+ /* INFORMATIONAL { D } --> */
+ assert_hook_not_called(child_rekey);
+ assert_single_payload(IN, PLV2_DELETE);
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ assert_child_sa_state(b, 6, CHILD_DELETING, CHILD_OUTBOUND_NONE);
+ assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED);
+ assert_child_sa_count(b, 2);
+ assert_ipsec_sas_installed(b, 6, 7, 8);
+ assert_hook();
+
+ /* <-- INFORMATIONAL { D } */
+ assert_hook_not_called(child_rekey);
+ assert_single_payload(IN, PLV2_DELETE);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_NONE);
+ assert_child_sa_state(a, 7, CHILD_INSTALLED);
+ assert_child_sa_count(a, 2);
+ assert_ipsec_sas_installed(a, 5, 7, 8);
+ assert_hook();
+
+ /* simulate the execution of the scheduled jobs */
+ destroy_rekeyed(a, 5);
+ assert_child_sa_count(a, 1);
+ assert_ipsec_sas_installed(a, 7, 8);
+ destroy_rekeyed(b, 6);
+ assert_child_sa_count(b, 1);
+ assert_ipsec_sas_installed(b, 7, 8);
+
+ /* child_updown */
+ assert_hook();
+
call_ikesa(a, destroy);
call_ikesa(b, destroy);
}
diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c
index ba39657a4..e22a0c288 100644
--- a/src/libcharon/tests/suites/test_ike_rekey.c
+++ b/src/libcharon/tests/suites/test_ike_rekey.c
@@ -138,6 +138,8 @@ START_TEST(test_regular_ke_invalid)
lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
TRUE, lib->ns);
+ lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+ FALSE, lib->ns);
initiate_rekey(a);
@@ -382,6 +384,8 @@ START_TEST(test_collision_ke_invalid)
lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
TRUE, lib->ns);
+ lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+ FALSE, lib->ns);
/* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial
* IKE_SA):
@@ -591,6 +595,8 @@ START_TEST(test_collision_ke_invalid_delayed_retry)
lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
TRUE, lib->ns);
+ lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+ FALSE, lib->ns);
/* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial
* IKE_SA):
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index cabcd0a9e..d7b508ab9 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -239,9 +239,10 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
static void add_device_id(imc_msg_t *msg)
{
pa_tnc_attr_t *attr;
- chunk_t value = chunk_empty, keyid;
- char *name, *device_id, *cert_path;
+ chunk_t chunk, value = chunk_empty, keyid;
+ char *name, *device_id, *device_handle, *cert_path;
certificate_t *cert = NULL;
+ private_key_t *privkey = NULL;
public_key_t *pubkey;
/* Get the device ID as a character string */
@@ -254,6 +255,32 @@ static void add_device_id(imc_msg_t *msg)
if (value.len == 0)
{
+ /* Derive the device ID from a private key bound to a smartcard or TPM */
+ device_handle = lib->settings->get_str(lib->settings,
+ "%s.plugins.imc-os.device_handle", NULL, lib->ns);
+ if (device_handle)
+ {
+ chunk = chunk_from_hex(
+ chunk_create(device_handle, strlen(device_handle)), NULL);
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+
+ if (privkey)
+ {
+ if (privkey->get_fingerprint(privkey, KEYID_PUBKEY_INFO_SHA1,
+ &keyid))
+ {
+ value = chunk_to_hex(keyid, NULL, FALSE);
+ }
+ privkey->destroy(privkey);
+
+ }
+ }
+ }
+
+ if (value.len == 0)
+ {
/* Derive the device ID from a raw public key */
cert_path = lib->settings->get_str(lib->settings,
"%s.plugins.imc-os.device_pubkey", NULL, lib->ns);
diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-2.swidtag
index f10740d60..bb4d300a9 100644
--- a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag
+++ b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-2.swidtag
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<SoftwareIdentity
name="strongSwan"
- tagId="strongSwan-5-6-1"
- version="5.6.1" versionScheme="alphanumeric"
+ tagId="strongSwan-5-6-2"
+ version="5.6.2" versionScheme="alphanumeric"
xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd">
<Entity
name="strongSwan Project"
diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-2.swidtag
index f10740d60..bb4d300a9 100644
--- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag
+++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-2.swidtag
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<SoftwareIdentity
name="strongSwan"
- tagId="strongSwan-5-6-1"
- version="5.6.1" versionScheme="alphanumeric"
+ tagId="strongSwan-5-6-2"
+ version="5.6.2" versionScheme="alphanumeric"
xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd">
<Entity
name="strongSwan Project"
diff --git a/src/libimcv/pts/pts_database.h b/src/libimcv/pts/pts_database.h
index 3a5ff5992..a19f14485 100644
--- a/src/libimcv/pts/pts_database.h
+++ b/src/libimcv/pts/pts_database.h
@@ -74,7 +74,7 @@ struct pts_database_t {
* @param measurement File measurement hash
* @param filename Optional name of the file to be checked
* @param is_dir TRUE if part of directory measurement
- * @param id Primary key into direcories/files table
+ * @param id Primary key into directories/files table
* @return TRUE if successful
*/
bool (*add_file_measurement)(pts_database_t *this, int vid,
diff --git a/src/libimcv/pts/pts_pcr.h b/src/libimcv/pts/pts_pcr.h
index df84c679f..0658f1f98 100644
--- a/src/libimcv/pts/pts_pcr.h
+++ b/src/libimcv/pts/pts_pcr.h
@@ -92,7 +92,7 @@ struct pts_pcr_t {
* Extend the content of a PCR
*
* @param pcr index of PCR
- * @param measurement measurment value to be extended into PCR
+ * @param measurement measurement value to be extended into PCR
* @return new content of PCR
*/
chunk_t (*extend)(pts_pcr_t *this, uint32_t pcr, chunk_t measurement);
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
index 2cee8e10f..3a1feae53 100644
--- a/src/libpttls/pt_tls.h
+++ b/src/libpttls/pt_tls.h
@@ -102,7 +102,7 @@ enum pt_tls_auth_t {
* @param tls TLS socket to read from
* @param vendor receives Message Type Vendor ID from header
* @param type receives Message Type from header
- * @param identifier receives Message Identifer
+ * @param identifier receives Message Identifier
* @return reader over message value, NULL on error
*/
bio_reader_t* pt_tls_read(tls_socket_t *tls, uint32_t *vendor,
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index a1c645319..0168b1802 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -390,7 +390,7 @@ static bool authenticate(private_pt_tls_server_t *this)
{
if (do_sasl(this))
{
- /* complete SASL with emtpy mechanism list */
+ /* complete SASL with empty mechanism list */
return pt_tls_write(this->tls, PT_TLS_SASL_MECHS, this->identifier++,
chunk_empty);
}
diff --git a/src/libradius/radius_client.h b/src/libradius/radius_client.h
index cf5f79b6c..2f6c8a43a 100644
--- a/src/libradius/radius_client.h
+++ b/src/libradius/radius_client.h
@@ -30,7 +30,7 @@ typedef struct radius_client_t radius_client_t;
* RADIUS client functionality.
*
* To communicate with a RADIUS server, create a client and send messages over
- * it. The client allocates a socket from the best RADIUS server abailable.
+ * it. The client allocates a socket from the best RADIUS server available.
*/
struct radius_client_t {
diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h
index c72773312..eb14bf08e 100644
--- a/src/libradius/radius_message.h
+++ b/src/libradius/radius_message.h
@@ -320,7 +320,7 @@ struct radius_message_t {
radius_message_t *radius_message_create(radius_message_code_t code);
/**
- * Parse and verify a recevied RADIUS message.
+ * Parse and verify a received RADIUS message.
*
* @param data received message data
* @return radius_message_t object, NULL if length invalid
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index 115be79fb..b3d90d3e5 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -348,7 +348,14 @@ METHOD(radius_socket_t, decrypt_msk, chunk_t,
enumerator->destroy(enumerator);
if (send.ptr && recv.ptr)
{
- return chunk_cat("mm", recv, send);
+ chunk_t pad = chunk_empty;
+
+ if ((send.len + recv.len) < 64)
+ { /* zero-pad MSK to at least 64 bytes */
+ pad = chunk_alloca(64 - send.len - recv.len);
+ memset(pad.ptr, 0, pad.len);
+ }
+ return chunk_cat("mmc", recv, send, pad);
}
chunk_clear(&send);
chunk_clear(&recv);
diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h
index b10d1659b..9f6810f8f 100644
--- a/src/libsimaka/simaka_manager.h
+++ b/src/libsimaka/simaka_manager.h
@@ -98,7 +98,7 @@ struct simaka_manager_t {
* @param id permanent identity to request quintuplet for
* @param rand random value rand
* @param auts resynchronization parameter auts
- * @return TRUE if calculated, FALSE if no matcing card found
+ * @return TRUE if calculated, FALSE if no matching card found
*/
bool (*card_resync)(simaka_manager_t *this, identification_t *id,
char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 6827c1795..8f5812a76 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -49,7 +49,7 @@ struct hdr_t {
struct attr_hdr_t {
/** attribute type */
uint8_t type;
- /** attibute length */
+ /** attribute length */
uint8_t length;
} __attribute__((__packed__));
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 0247add96..fb7c62a8a 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -8,7 +8,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
-crypto/hashers/hash_algorithm_set.c \
+crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index a9759aeee..66539a879 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -6,7 +6,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
-crypto/hashers/hash_algorithm_set.c \
+crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
@@ -69,7 +69,7 @@ asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
collections/linked_list.h collections/array.h collections/dictionary.h \
crypto/crypters/crypter.h crypto/hashers/hasher.h \
-crypto/hashers/hash_algorithm_set.h crypto/mac.h \
+crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \
crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 356670dad..a0eb8b6b5 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -335,7 +335,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
collections/enumerator.c collections/hashtable.c \
collections/array.c collections/linked_list.c \
crypto/crypters/crypter.c crypto/hashers/hasher.c \
- crypto/hashers/hash_algorithm_set.c \
+ crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \
crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
@@ -425,6 +425,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
collections/array.lo collections/linked_list.lo \
crypto/crypters/crypter.lo crypto/hashers/hasher.lo \
crypto/hashers/hash_algorithm_set.lo \
+ crypto/proposal/proposal.lo \
crypto/proposal/proposal_keywords.lo \
crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \
crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \
@@ -556,7 +557,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
collections/linked_list.h collections/array.h \
collections/dictionary.h crypto/crypters/crypter.h \
crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \
- crypto/mac.h crypto/proposal/proposal_keywords.h \
+ crypto/mac.h crypto/proposal/proposal.h \
+ crypto/proposal/proposal_keywords.h \
crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h \
@@ -942,7 +944,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
collections/hashtable.c collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c \
crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \
- crypto/proposal/proposal_keywords.c \
+ crypto/proposal/proposal.c crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
crypto/prf_plus.c crypto/signers/signer.c \
@@ -1005,7 +1007,7 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
@USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \
@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \
-@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \
+@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \
@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
@USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
@USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
@@ -1302,6 +1304,8 @@ crypto/proposal/$(am__dirstamp):
crypto/proposal/$(DEPDIR)/$(am__dirstamp):
@$(MKDIR_P) crypto/proposal/$(DEPDIR)
@: > crypto/proposal/$(DEPDIR)/$(am__dirstamp)
+crypto/proposal/proposal.lo: crypto/proposal/$(am__dirstamp) \
+ crypto/proposal/$(DEPDIR)/$(am__dirstamp)
crypto/proposal/proposal_keywords.lo: crypto/proposal/$(am__dirstamp) \
crypto/proposal/$(DEPDIR)/$(am__dirstamp)
crypto/proposal/proposal_keywords_static.lo: \
@@ -1855,6 +1859,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords_static.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/rngs/$(DEPDIR)/rng.Plo@am__quote@
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 6d9f98ee4..a70aafdd9 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -205,8 +205,8 @@ const oid_t oid_names[] = {
{ 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */
{ 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */
- {0x2B, 425, 1, 0, "" }, /* 195 */
- { 0x06, 336, 1, 1, "dod" }, /* 196 */
+ {0x2B, 426, 1, 0, "" }, /* 195 */
+ { 0x06, 337, 1, 1, "dod" }, /* 196 */
{ 0x01, 0, 1, 2, "internet" }, /* 197 */
{ 0x04, 287, 1, 3, "private" }, /* 198 */
{ 0x01, 0, 1, 4, "enterprise" }, /* 199 */
@@ -299,211 +299,212 @@ const oid_t oid_names[] = {
{ 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */
{ 0x05, 0, 1, 3, "security" }, /* 287 */
{ 0x05, 0, 1, 4, "mechanisms" }, /* 288 */
- { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */
- { 0x01, 294, 1, 6, "id-pe" }, /* 290 */
+ { 0x07, 334, 1, 5, "id-pkix" }, /* 289 */
+ { 0x01, 295, 1, 6, "id-pe" }, /* 290 */
{ 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */
{ 0x03, 293, 0, 7, "qcStatements" }, /* 292 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */
- { 0x02, 297, 1, 6, "id-qt" }, /* 294 */
- { 0x01, 296, 0, 7, "cps" }, /* 295 */
- { 0x02, 0, 0, 7, "unotice" }, /* 296 */
- { 0x03, 307, 1, 6, "id-kp" }, /* 297 */
- { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */
- { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */
- { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */
- { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */
- { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */
- { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */
- { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */
- { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */
- { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */
- { 0x01, 309, 0, 7, "personalData" }, /* 308 */
- { 0x02, 310, 0, 7, "userGroup" }, /* 309 */
- { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */
- { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */
- { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */
- { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */
- { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */
- { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */
- { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */
- { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */
- { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */
- { 0x04, 0, 0, 7, "group" }, /* 319 */
- { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 321 */
- { 0x01, 330, 1, 7, "ocsp" }, /* 322 */
- { 0x01, 324, 0, 8, "basic" }, /* 323 */
- { 0x02, 325, 0, 8, "nonce" }, /* 324 */
- { 0x03, 326, 0, 8, "crl" }, /* 325 */
- { 0x04, 327, 0, 8, "response" }, /* 326 */
- { 0x05, 328, 0, 8, "noCheck" }, /* 327 */
- { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */
- { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */
- { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 332 */
- { 0x08, 0, 1, 5, "ipsec" }, /* 333 */
- { 0x02, 0, 1, 6, "certificate" }, /* 334 */
- { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */
- { 0x0E, 342, 1, 1, "oiw" }, /* 336 */
- { 0x03, 0, 1, 2, "secsig" }, /* 337 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 338 */
- { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */
- { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */
- { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 343 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */
- { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */
- { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */
- { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 349 */
- { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */
- { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */
- { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */
- { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */
- { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */
- { 0x01, 359, 1, 6, "fieldType" }, /* 355 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */
- { 0x01, 0, 1, 8, "basisType" }, /* 357 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */
- { 0x02, 361, 1, 6, "keyType" }, /* 359 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */
- { 0x03, 362, 0, 6, "curve" }, /* 361 */
- { 0x04, 369, 1, 6, "signatures" }, /* 362 */
- { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */
- { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */
- { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */
- { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */
- { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */
- { 0x05, 0, 1, 6, "module" }, /* 369 */
- { 0x01, 0, 0, 7, "1" }, /* 370 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 373 */
- { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */
- { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */
- { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */
- { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */
- { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */
- { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */
- { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */
- { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */
- { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */
- { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */
- { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */
- { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */
- { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */
- { 0x65, 391, 1, 1, "Thawte" }, /* 388 */
- { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */
- { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */
- { 0x81, 0, 1, 1, "" }, /* 391 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 392 */
- { 0x00, 0, 1, 3, "curve" }, /* 393 */
- { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */
- { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */
- { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */
- { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */
- { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */
- { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */
- { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */
- { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */
- { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */
- { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */
- { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */
- { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */
- { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */
- { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */
- { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */
- { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */
- { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */
- { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */
- { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */
- { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */
- { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */
- { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */
- { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */
- { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */
- { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */
- { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */
- { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */
- { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */
- { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */
- { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */
- {0x60, 488, 1, 0, "" }, /* 425 */
- { 0x86, 0, 1, 1, "" }, /* 426 */
- { 0x48, 0, 1, 2, "" }, /* 427 */
- { 0x01, 0, 1, 3, "organization" }, /* 428 */
- { 0x65, 464, 1, 4, "gov" }, /* 429 */
- { 0x03, 0, 1, 5, "csor" }, /* 430 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */
- { 0x01, 442, 1, 7, "aes" }, /* 432 */
- { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */
- { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */
- { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */
- { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */
- { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */
- { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */
- { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */
- { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */
- { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */
- { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */
- { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */
- { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */
- { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */
- { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */
- { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */
- { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */
- { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */
- { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */
- { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */
- { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */
- { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */
- { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */
- { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */
- { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */
- { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */
- { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */
- { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */
- { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */
- { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */
- { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */
- { 0x86, 0, 1, 4, "" }, /* 464 */
- { 0xf8, 0, 1, 5, "" }, /* 465 */
- { 0x42, 478, 1, 6, "netscape" }, /* 466 */
- { 0x01, 473, 1, 7, "" }, /* 467 */
- { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */
- { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */
- { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */
- { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */
- { 0x03, 476, 1, 7, "directory" }, /* 473 */
- { 0x01, 0, 1, 8, "" }, /* 474 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */
- { 0x04, 0, 1, 7, "policy" }, /* 476 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */
- { 0x45, 0, 1, 6, "verisign" }, /* 478 */
- { 0x01, 0, 1, 7, "pki" }, /* 479 */
- { 0x09, 0, 1, 8, "attributes" }, /* 480 */
- { 0x02, 482, 0, 9, "messageType" }, /* 481 */
- { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */
- { 0x04, 484, 0, 9, "failInfo" }, /* 483 */
- { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */
- { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */
- { 0x07, 487, 0, 9, "transID" }, /* 486 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */
- {0x67, 0, 1, 0, "" }, /* 488 */
- { 0x81, 0, 1, 1, "" }, /* 489 */
- { 0x05, 0, 1, 2, "" }, /* 490 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */
- { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */
- { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */
- { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */
+ { 0x07, 294, 0, 7, "ipAddrBlocks" }, /* 293 */
+ { 0x18, 0, 0, 7, "tlsfeature" }, /* 294 */
+ { 0x02, 298, 1, 6, "id-qt" }, /* 295 */
+ { 0x01, 297, 0, 7, "cps" }, /* 296 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 297 */
+ { 0x03, 308, 1, 6, "id-kp" }, /* 298 */
+ { 0x01, 300, 0, 7, "serverAuth" }, /* 299 */
+ { 0x02, 301, 0, 7, "clientAuth" }, /* 300 */
+ { 0x03, 302, 0, 7, "codeSigning" }, /* 301 */
+ { 0x04, 303, 0, 7, "emailProtection" }, /* 302 */
+ { 0x05, 304, 0, 7, "ipsecEndSystem" }, /* 303 */
+ { 0x06, 305, 0, 7, "ipsecTunnel" }, /* 304 */
+ { 0x07, 306, 0, 7, "ipsecUser" }, /* 305 */
+ { 0x08, 307, 0, 7, "timeStamping" }, /* 306 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 307 */
+ { 0x08, 316, 1, 6, "id-otherNames" }, /* 308 */
+ { 0x01, 310, 0, 7, "personalData" }, /* 309 */
+ { 0x02, 311, 0, 7, "userGroup" }, /* 310 */
+ { 0x03, 312, 0, 7, "id-on-permanentIdentifier" }, /* 311 */
+ { 0x04, 313, 0, 7, "id-on-hardwareModuleName" }, /* 312 */
+ { 0x05, 314, 0, 7, "xmppAddr" }, /* 313 */
+ { 0x06, 315, 0, 7, "id-on-SIM" }, /* 314 */
+ { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 315 */
+ { 0x0A, 321, 1, 6, "id-aca" }, /* 316 */
+ { 0x01, 318, 0, 7, "authenticationInfo" }, /* 317 */
+ { 0x02, 319, 0, 7, "accessIdentity" }, /* 318 */
+ { 0x03, 320, 0, 7, "chargingIdentity" }, /* 319 */
+ { 0x04, 0, 0, 7, "group" }, /* 320 */
+ { 0x0B, 322, 0, 6, "subjectInfoAccess" }, /* 321 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 322 */
+ { 0x01, 331, 1, 7, "ocsp" }, /* 323 */
+ { 0x01, 325, 0, 8, "basic" }, /* 324 */
+ { 0x02, 326, 0, 8, "nonce" }, /* 325 */
+ { 0x03, 327, 0, 8, "crl" }, /* 326 */
+ { 0x04, 328, 0, 8, "response" }, /* 327 */
+ { 0x05, 329, 0, 8, "noCheck" }, /* 328 */
+ { 0x06, 330, 0, 8, "archiveCutoff" }, /* 329 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 330 */
+ { 0x02, 332, 0, 7, "caIssuers" }, /* 331 */
+ { 0x03, 333, 0, 7, "timeStamping" }, /* 332 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 333 */
+ { 0x08, 0, 1, 5, "ipsec" }, /* 334 */
+ { 0x02, 0, 1, 6, "certificate" }, /* 335 */
+ { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 336 */
+ { 0x0E, 343, 1, 1, "oiw" }, /* 337 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 338 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 339 */
+ { 0x07, 341, 0, 4, "des-cbc" }, /* 340 */
+ { 0x1A, 342, 0, 4, "sha-1" }, /* 341 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 342 */
+ { 0x24, 389, 1, 1, "TeleTrusT" }, /* 343 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 344 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 345 */
+ { 0x01, 350, 1, 4, "rsaSignature" }, /* 346 */
+ { 0x02, 348, 0, 5, "rsaSigWithripemd160" }, /* 347 */
+ { 0x03, 349, 0, 5, "rsaSigWithripemd128" }, /* 348 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 349 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 350 */
+ { 0x01, 352, 0, 5, "ecSignWithsha1" }, /* 351 */
+ { 0x02, 353, 0, 5, "ecSignWithripemd160" }, /* 352 */
+ { 0x03, 354, 0, 5, "ecSignWithmd2" }, /* 353 */
+ { 0x04, 355, 0, 5, "ecSignWithmd5" }, /* 354 */
+ { 0x05, 372, 1, 5, "ttt-ecg" }, /* 355 */
+ { 0x01, 360, 1, 6, "fieldType" }, /* 356 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 357 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 358 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 359 */
+ { 0x02, 362, 1, 6, "keyType" }, /* 360 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 361 */
+ { 0x03, 363, 0, 6, "curve" }, /* 362 */
+ { 0x04, 370, 1, 6, "signatures" }, /* 363 */
+ { 0x01, 365, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 364 */
+ { 0x02, 366, 0, 7, "ecgdsa-with-SHA1" }, /* 365 */
+ { 0x03, 367, 0, 7, "ecgdsa-with-SHA224" }, /* 366 */
+ { 0x04, 368, 0, 7, "ecgdsa-with-SHA256" }, /* 367 */
+ { 0x05, 369, 0, 7, "ecgdsa-with-SHA384" }, /* 368 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 369 */
+ { 0x05, 0, 1, 6, "module" }, /* 370 */
+ { 0x01, 0, 0, 7, "1" }, /* 371 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 372 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 373 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 374 */
+ { 0x01, 376, 0, 8, "brainpoolP160r1" }, /* 375 */
+ { 0x02, 377, 0, 8, "brainpoolP160t1" }, /* 376 */
+ { 0x03, 378, 0, 8, "brainpoolP192r1" }, /* 377 */
+ { 0x04, 379, 0, 8, "brainpoolP192t1" }, /* 378 */
+ { 0x05, 380, 0, 8, "brainpoolP224r1" }, /* 379 */
+ { 0x06, 381, 0, 8, "brainpoolP224t1" }, /* 380 */
+ { 0x07, 382, 0, 8, "brainpoolP256r1" }, /* 381 */
+ { 0x08, 383, 0, 8, "brainpoolP256t1" }, /* 382 */
+ { 0x09, 384, 0, 8, "brainpoolP320r1" }, /* 383 */
+ { 0x0A, 385, 0, 8, "brainpoolP320t1" }, /* 384 */
+ { 0x0B, 386, 0, 8, "brainpoolP384r1" }, /* 385 */
+ { 0x0C, 387, 0, 8, "brainpoolP384t1" }, /* 386 */
+ { 0x0D, 388, 0, 8, "brainpoolP512r1" }, /* 387 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 388 */
+ { 0x65, 392, 1, 1, "Thawte" }, /* 389 */
+ { 0x70, 391, 0, 2, "id-Ed25519" }, /* 390 */
+ { 0x71, 0, 0, 2, "id-Ed448" }, /* 391 */
+ { 0x81, 0, 1, 1, "" }, /* 392 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 393 */
+ { 0x00, 0, 1, 3, "curve" }, /* 394 */
+ { 0x01, 396, 0, 4, "sect163k1" }, /* 395 */
+ { 0x02, 397, 0, 4, "sect163r1" }, /* 396 */
+ { 0x03, 398, 0, 4, "sect239k1" }, /* 397 */
+ { 0x04, 399, 0, 4, "sect113r1" }, /* 398 */
+ { 0x05, 400, 0, 4, "sect113r2" }, /* 399 */
+ { 0x06, 401, 0, 4, "secp112r1" }, /* 400 */
+ { 0x07, 402, 0, 4, "secp112r2" }, /* 401 */
+ { 0x08, 403, 0, 4, "secp160r1" }, /* 402 */
+ { 0x09, 404, 0, 4, "secp160k1" }, /* 403 */
+ { 0x0A, 405, 0, 4, "secp256k1" }, /* 404 */
+ { 0x0F, 406, 0, 4, "sect163r2" }, /* 405 */
+ { 0x10, 407, 0, 4, "sect283k1" }, /* 406 */
+ { 0x11, 408, 0, 4, "sect283r1" }, /* 407 */
+ { 0x16, 409, 0, 4, "sect131r1" }, /* 408 */
+ { 0x17, 410, 0, 4, "sect131r2" }, /* 409 */
+ { 0x18, 411, 0, 4, "sect193r1" }, /* 410 */
+ { 0x19, 412, 0, 4, "sect193r2" }, /* 411 */
+ { 0x1A, 413, 0, 4, "sect233k1" }, /* 412 */
+ { 0x1B, 414, 0, 4, "sect233r1" }, /* 413 */
+ { 0x1C, 415, 0, 4, "secp128r1" }, /* 414 */
+ { 0x1D, 416, 0, 4, "secp128r2" }, /* 415 */
+ { 0x1E, 417, 0, 4, "secp160r2" }, /* 416 */
+ { 0x1F, 418, 0, 4, "secp192k1" }, /* 417 */
+ { 0x20, 419, 0, 4, "secp224k1" }, /* 418 */
+ { 0x21, 420, 0, 4, "secp224r1" }, /* 419 */
+ { 0x22, 421, 0, 4, "secp384r1" }, /* 420 */
+ { 0x23, 422, 0, 4, "secp521r1" }, /* 421 */
+ { 0x24, 423, 0, 4, "sect409k1" }, /* 422 */
+ { 0x25, 424, 0, 4, "sect409r1" }, /* 423 */
+ { 0x26, 425, 0, 4, "sect571k1" }, /* 424 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 425 */
+ {0x60, 489, 1, 0, "" }, /* 426 */
+ { 0x86, 0, 1, 1, "" }, /* 427 */
+ { 0x48, 0, 1, 2, "" }, /* 428 */
+ { 0x01, 0, 1, 3, "organization" }, /* 429 */
+ { 0x65, 465, 1, 4, "gov" }, /* 430 */
+ { 0x03, 0, 1, 5, "csor" }, /* 431 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 432 */
+ { 0x01, 443, 1, 7, "aes" }, /* 433 */
+ { 0x02, 435, 0, 8, "id-aes128-CBC" }, /* 434 */
+ { 0x06, 436, 0, 8, "id-aes128-GCM" }, /* 435 */
+ { 0x07, 437, 0, 8, "id-aes128-CCM" }, /* 436 */
+ { 0x16, 438, 0, 8, "id-aes192-CBC" }, /* 437 */
+ { 0x1A, 439, 0, 8, "id-aes192-GCM" }, /* 438 */
+ { 0x1B, 440, 0, 8, "id-aes192-CCM" }, /* 439 */
+ { 0x2A, 441, 0, 8, "id-aes256-CBC" }, /* 440 */
+ { 0x2E, 442, 0, 8, "id-aes256-GCM" }, /* 441 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 442 */
+ { 0x02, 456, 1, 7, "hashAlgs" }, /* 443 */
+ { 0x01, 445, 0, 8, "id-sha256" }, /* 444 */
+ { 0x02, 446, 0, 8, "id-sha384" }, /* 445 */
+ { 0x03, 447, 0, 8, "id-sha512" }, /* 446 */
+ { 0x04, 448, 0, 8, "id-sha224" }, /* 447 */
+ { 0x05, 449, 0, 8, "id-sha512-224" }, /* 448 */
+ { 0x06, 450, 0, 8, "id-sha512-256" }, /* 449 */
+ { 0x07, 451, 0, 8, "id-sha3-224" }, /* 450 */
+ { 0x08, 452, 0, 8, "id-sha3-256" }, /* 451 */
+ { 0x09, 453, 0, 8, "id-sha3-384" }, /* 452 */
+ { 0x0A, 454, 0, 8, "id-sha3-512" }, /* 453 */
+ { 0x0B, 455, 0, 8, "id-shake128" }, /* 454 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 455 */
+ { 0x03, 0, 1, 7, "sigAlgs" }, /* 456 */
+ { 0x09, 458, 0, 8, "id-ecdsa-with-sha3-224" }, /* 457 */
+ { 0x0A, 459, 0, 8, "id-ecdsa-with-sha3-256" }, /* 458 */
+ { 0x0B, 460, 0, 8, "id-ecdsa-with-sha3-384" }, /* 459 */
+ { 0x0C, 461, 0, 8, "id-ecdsa-with-sha3-512" }, /* 460 */
+ { 0x0D, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 461 */
+ { 0x0E, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 462 */
+ { 0x0F, 464, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 463 */
+ { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 464 */
+ { 0x86, 0, 1, 4, "" }, /* 465 */
+ { 0xf8, 0, 1, 5, "" }, /* 466 */
+ { 0x42, 479, 1, 6, "netscape" }, /* 467 */
+ { 0x01, 474, 1, 7, "" }, /* 468 */
+ { 0x01, 470, 0, 8, "nsCertType" }, /* 469 */
+ { 0x03, 471, 0, 8, "nsRevocationUrl" }, /* 470 */
+ { 0x04, 472, 0, 8, "nsCaRevocationUrl" }, /* 471 */
+ { 0x08, 473, 0, 8, "nsCaPolicyUrl" }, /* 472 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 473 */
+ { 0x03, 477, 1, 7, "directory" }, /* 474 */
+ { 0x01, 0, 1, 8, "" }, /* 475 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 476 */
+ { 0x04, 0, 1, 7, "policy" }, /* 477 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 478 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 479 */
+ { 0x01, 0, 1, 7, "pki" }, /* 480 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 481 */
+ { 0x02, 483, 0, 9, "messageType" }, /* 482 */
+ { 0x03, 484, 0, 9, "pkiStatus" }, /* 483 */
+ { 0x04, 485, 0, 9, "failInfo" }, /* 484 */
+ { 0x05, 486, 0, 9, "senderNonce" }, /* 485 */
+ { 0x06, 487, 0, 9, "recipientNonce" }, /* 486 */
+ { 0x07, 488, 0, 9, "transID" }, /* 487 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 488 */
+ {0x67, 0, 1, 0, "" }, /* 489 */
+ { 0x81, 0, 1, 1, "" }, /* 490 */
+ { 0x05, 0, 1, 2, "" }, /* 491 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 492 */
+ { 0x01, 494, 0, 4, "tcg-at-tpmManufacturer" }, /* 493 */
+ { 0x02, 495, 0, 4, "tcg-at-tpmModel" }, /* 494 */
+ { 0x03, 496, 0, 4, "tcg-at-tpmVersion" }, /* 495 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 496 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 0e9b7ea24..230fe2f87 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -167,110 +167,110 @@ extern const oid_t oid_names[];
#define OID_BLOWFISH_CBC 247
#define OID_AUTHORITY_INFO_ACCESS 291
#define OID_IP_ADDR_BLOCKS 293
-#define OID_POLICY_QUALIFIER_CPS 295
-#define OID_POLICY_QUALIFIER_UNOTICE 296
-#define OID_SERVER_AUTH 298
-#define OID_CLIENT_AUTH 299
-#define OID_OCSP_SIGNING 306
-#define OID_XMPP_ADDR 312
-#define OID_AUTHENTICATION_INFO 316
-#define OID_ACCESS_IDENTITY 317
-#define OID_CHARGING_IDENTITY 318
-#define OID_GROUP 319
-#define OID_OCSP 322
-#define OID_BASIC 323
-#define OID_NONCE 324
-#define OID_CRL 325
-#define OID_RESPONSE 326
-#define OID_NO_CHECK 327
-#define OID_ARCHIVE_CUTOFF 328
-#define OID_SERVICE_LOCATOR 329
-#define OID_CA_ISSUERS 330
-#define OID_IKE_INTERMEDIATE 335
-#define OID_DES_CBC 339
-#define OID_SHA1 340
-#define OID_SHA1_WITH_RSA_OIW 341
-#define OID_ECGDSA_PUBKEY 360
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 363
-#define OID_ECGDSA_SIG_WITH_SHA1 364
-#define OID_ECGDSA_SIG_WITH_SHA224 365
-#define OID_ECGDSA_SIG_WITH_SHA256 366
-#define OID_ECGDSA_SIG_WITH_SHA384 367
-#define OID_ECGDSA_SIG_WITH_SHA512 368
-#define OID_ED25519 389
-#define OID_ED448 390
-#define OID_SECT163K1 394
-#define OID_SECT163R1 395
-#define OID_SECT239K1 396
-#define OID_SECT113R1 397
-#define OID_SECT113R2 398
-#define OID_SECT112R1 399
-#define OID_SECT112R2 400
-#define OID_SECT160R1 401
-#define OID_SECT160K1 402
-#define OID_SECT256K1 403
-#define OID_SECT163R2 404
-#define OID_SECT283K1 405
-#define OID_SECT283R1 406
-#define OID_SECT131R1 407
-#define OID_SECT131R2 408
-#define OID_SECT193R1 409
-#define OID_SECT193R2 410
-#define OID_SECT233K1 411
-#define OID_SECT233R1 412
-#define OID_SECT128R1 413
-#define OID_SECT128R2 414
-#define OID_SECT160R2 415
-#define OID_SECT192K1 416
-#define OID_SECT224K1 417
-#define OID_SECT224R1 418
-#define OID_SECT384R1 419
-#define OID_SECT521R1 420
-#define OID_SECT409K1 421
-#define OID_SECT409R1 422
-#define OID_SECT571K1 423
-#define OID_SECT571R1 424
-#define OID_AES128_CBC 433
-#define OID_AES128_GCM 434
-#define OID_AES128_CCM 435
-#define OID_AES192_CBC 436
-#define OID_AES192_GCM 437
-#define OID_AES192_CCM 438
-#define OID_AES256_CBC 439
-#define OID_AES256_GCM 440
-#define OID_AES256_CCM 441
-#define OID_SHA256 443
-#define OID_SHA384 444
-#define OID_SHA512 445
-#define OID_SHA224 446
-#define OID_SHA3_224 449
-#define OID_SHA3_256 450
-#define OID_SHA3_384 451
-#define OID_SHA3_512 452
-#define OID_ECDSA_WITH_SHA3_224 456
-#define OID_ECDSA_WITH_SHA3_256 457
-#define OID_ECDSA_WITH_SHA3_384 458
-#define OID_ECDSA_WITH_SHA3_512 459
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463
-#define OID_NS_REVOCATION_URL 469
-#define OID_NS_CA_REVOCATION_URL 470
-#define OID_NS_CA_POLICY_URL 471
-#define OID_NS_COMMENT 472
-#define OID_EMPLOYEE_NUMBER 475
-#define OID_PKI_MESSAGE_TYPE 481
-#define OID_PKI_STATUS 482
-#define OID_PKI_FAIL_INFO 483
-#define OID_PKI_SENDER_NONCE 484
-#define OID_PKI_RECIPIENT_NONCE 485
-#define OID_PKI_TRANS_ID 486
-#define OID_TPM_MANUFACTURER 492
-#define OID_TPM_MODEL 493
-#define OID_TPM_VERSION 494
-#define OID_TPM_ID_LABEL 495
+#define OID_POLICY_QUALIFIER_CPS 296
+#define OID_POLICY_QUALIFIER_UNOTICE 297
+#define OID_SERVER_AUTH 299
+#define OID_CLIENT_AUTH 300
+#define OID_OCSP_SIGNING 307
+#define OID_XMPP_ADDR 313
+#define OID_AUTHENTICATION_INFO 317
+#define OID_ACCESS_IDENTITY 318
+#define OID_CHARGING_IDENTITY 319
+#define OID_GROUP 320
+#define OID_OCSP 323
+#define OID_BASIC 324
+#define OID_NONCE 325
+#define OID_CRL 326
+#define OID_RESPONSE 327
+#define OID_NO_CHECK 328
+#define OID_ARCHIVE_CUTOFF 329
+#define OID_SERVICE_LOCATOR 330
+#define OID_CA_ISSUERS 331
+#define OID_IKE_INTERMEDIATE 336
+#define OID_DES_CBC 340
+#define OID_SHA1 341
+#define OID_SHA1_WITH_RSA_OIW 342
+#define OID_ECGDSA_PUBKEY 361
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 364
+#define OID_ECGDSA_SIG_WITH_SHA1 365
+#define OID_ECGDSA_SIG_WITH_SHA224 366
+#define OID_ECGDSA_SIG_WITH_SHA256 367
+#define OID_ECGDSA_SIG_WITH_SHA384 368
+#define OID_ECGDSA_SIG_WITH_SHA512 369
+#define OID_ED25519 390
+#define OID_ED448 391
+#define OID_SECT163K1 395
+#define OID_SECT163R1 396
+#define OID_SECT239K1 397
+#define OID_SECT113R1 398
+#define OID_SECT113R2 399
+#define OID_SECT112R1 400
+#define OID_SECT112R2 401
+#define OID_SECT160R1 402
+#define OID_SECT160K1 403
+#define OID_SECT256K1 404
+#define OID_SECT163R2 405
+#define OID_SECT283K1 406
+#define OID_SECT283R1 407
+#define OID_SECT131R1 408
+#define OID_SECT131R2 409
+#define OID_SECT193R1 410
+#define OID_SECT193R2 411
+#define OID_SECT233K1 412
+#define OID_SECT233R1 413
+#define OID_SECT128R1 414
+#define OID_SECT128R2 415
+#define OID_SECT160R2 416
+#define OID_SECT192K1 417
+#define OID_SECT224K1 418
+#define OID_SECT224R1 419
+#define OID_SECT384R1 420
+#define OID_SECT521R1 421
+#define OID_SECT409K1 422
+#define OID_SECT409R1 423
+#define OID_SECT571K1 424
+#define OID_SECT571R1 425
+#define OID_AES128_CBC 434
+#define OID_AES128_GCM 435
+#define OID_AES128_CCM 436
+#define OID_AES192_CBC 437
+#define OID_AES192_GCM 438
+#define OID_AES192_CCM 439
+#define OID_AES256_CBC 440
+#define OID_AES256_GCM 441
+#define OID_AES256_CCM 442
+#define OID_SHA256 444
+#define OID_SHA384 445
+#define OID_SHA512 446
+#define OID_SHA224 447
+#define OID_SHA3_224 450
+#define OID_SHA3_256 451
+#define OID_SHA3_384 452
+#define OID_SHA3_512 453
+#define OID_ECDSA_WITH_SHA3_224 457
+#define OID_ECDSA_WITH_SHA3_256 458
+#define OID_ECDSA_WITH_SHA3_384 459
+#define OID_ECDSA_WITH_SHA3_512 460
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 461
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 462
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 463
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 464
+#define OID_NS_REVOCATION_URL 470
+#define OID_NS_CA_REVOCATION_URL 471
+#define OID_NS_CA_POLICY_URL 472
+#define OID_NS_COMMENT 473
+#define OID_EMPLOYEE_NUMBER 476
+#define OID_PKI_MESSAGE_TYPE 482
+#define OID_PKI_STATUS 483
+#define OID_PKI_FAIL_INFO 484
+#define OID_PKI_SENDER_NONCE 485
+#define OID_PKI_RECIPIENT_NONCE 486
+#define OID_PKI_TRANS_ID 487
+#define OID_TPM_MANUFACTURER 493
+#define OID_TPM_MODEL 494
+#define OID_TPM_VERSION 495
+#define OID_TPM_ID_LABEL 496
-#define OID_MAX 496
+#define OID_MAX 497
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 9583baa5e..369f6f899 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -292,6 +292,7 @@
0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS
0x03 "qcStatements"
0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS
+ 0x18 "tlsfeature"
0x02 "id-qt"
0x01 "cps" OID_POLICY_QUALIFIER_CPS
0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 246b9a5c5..c99cb836b 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -195,7 +195,7 @@ struct linked_list_t {
* If a linked list contains objects with function pointers,
* invoke() can call a method on each of the objects. The
* method is specified by an offset of the function pointer,
- * which can be evalutated at compile time using the offsetof
+ * which can be evaluated at compile time using the offsetof
* macro, e.g.: list->invoke(list, offsetof(object_t, method));
*
* @param offset offset of the method to invoke on objects
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index d1be7b401..278c67405 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -73,9 +73,6 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
- case AUTH_RULE_RSA_STRENGTH:
- case AUTH_RULE_ECDSA_STRENGTH:
- case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_IDENTITY:
case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_EAP_IDENTITY:
@@ -94,6 +91,9 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_CERT_POLICY:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
case AUTH_RULE_IKE_SIGNATURE_SCHEME:
case AUTH_HELPER_IM_CERT:
@@ -737,8 +737,8 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
}
enumerator->destroy(enumerator);
- /* if no explicit IKE signature contraints were added we add them for all
- * configured signature contraints */
+ /* if no explicit IKE signature constraints were added we add them for all
+ * configured signature constraints */
if (ike && !ike_added &&
lib->settings->get_bool(lib->settings,
"%s.signature_authentication_constraints", TRUE,
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 303816391..d6523821e 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -39,7 +39,7 @@ struct private_cred_encoding_t {
hashtable_t *cache[CRED_ENCODING_MAX];
/**
- * Registered encoding fuctions, cred_encoder_t
+ * Registered encoding functions, cred_encoder_t
*/
linked_list_t *encoders;
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index 6b4d22e7b..8f42fb940 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -280,13 +280,17 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
case RSASSA_PSS_PARAMS_MGF_ALG:
if (object.len)
{
- chunk_t hash;
+ chunk_t hash = chunk_empty;
alg = asn1_parse_algorithmIdentifier(object, level, &hash);
if (alg != OID_MGF1)
{
goto end;
}
+ if (!hash.len)
+ {
+ goto end;
+ }
alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL);
params->mgf1_hash = hasher_algorithm_from_oid(alg);
if (params->mgf1_hash == HASH_UNKNOWN)
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 0e64f0350..f1579c60a 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -239,7 +239,7 @@ METHOD(cert_cache_t, issued_by, bool,
}
/**
- * certificate enumerator implemenation
+ * certificate enumerator implementation
*/
typedef struct {
/** implements enumerator_t interface */
diff --git a/src/libcharon/config/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c
index 46c3c9400..bb0a02b59 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2006-2010 Martin Willi
* Copyright (C) 2013-2015 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -19,7 +19,6 @@
#include "proposal.h"
-#include <daemon.h>
#include <collections/array.h>
#include <utils/identification.h>
@@ -172,6 +171,36 @@ METHOD(proposal_t, has_dh_group, bool,
return found;
}
+METHOD(proposal_t, promote_dh_group, bool,
+ private_proposal_t *this, diffie_hellman_group_t group)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool found = FALSE;
+
+ enumerator = array_create_enumerator(this->transforms);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->type == DIFFIE_HELLMAN_GROUP &&
+ entry->alg == group)
+ {
+ array_remove_at(this->transforms, enumerator);
+ found = TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (found)
+ {
+ entry_t entry = {
+ .type = DIFFIE_HELLMAN_GROUP,
+ .alg = group,
+ };
+ array_insert(this->transforms, ARRAY_HEAD, &entry);
+ }
+ return found;
+}
+
METHOD(proposal_t, strip_dh, void,
private_proposal_t *this, diffie_hellman_group_t keep)
{
@@ -668,7 +697,7 @@ int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
{
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &this))
- { /* call recursivly */
+ { /* call recursively */
if (first)
{
written += print_in_hook(data, "%P", this);
@@ -717,6 +746,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number)
.create_enumerator = _create_enumerator,
.get_algorithm = _get_algorithm,
.has_dh_group = _has_dh_group,
+ .promote_dh_group = _promote_dh_group,
.strip_dh = _strip_dh,
.select = _select_proposal,
.get_protocol = _get_protocol,
@@ -954,6 +984,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
{
case MODP_3072_BIT:
case MODP_4096_BIT:
+ case MODP_6144_BIT:
case MODP_8192_BIT:
add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
break;
diff --git a/src/libcharon/config/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h
index 0dc70f4c5..0052674b9 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libstrongswan/crypto/proposal/proposal.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2016 Tobias Brunner
+ * Copyright (C) 2009-2018 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
@@ -16,7 +16,7 @@
/**
* @defgroup proposal proposal
- * @{ @ingroup config
+ * @{ @ingroup crypto
*/
#ifndef PROPOSAL_H_
@@ -108,7 +108,16 @@ struct proposal_t {
* @param group group to check for
* @return TRUE if algorithm included
*/
- bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
+ bool (*has_dh_group)(proposal_t *this, diffie_hellman_group_t group);
+
+ /**
+ * Move the given DH group to the front of the list if it was contained in
+ * the proposal.
+ *
+ * @param group group to promote
+ * @return TRUE if algorithm included
+ */
+ bool (*promote_dh_group)(proposal_t *this, diffie_hellman_group_t group);
/**
* Strip DH groups from proposal to use it without PFS.
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index 856abdce6..b062221e5 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -37,7 +37,7 @@
/**
* @defgroup proposal_keywords proposal_keywords
- * @{ @ingroup crypto
+ * @{ @ingroup proposal
*/
#ifndef PROPOSAL_KEYWORDS_H_
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index 64b5dbe51..2b7295e3d 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -157,6 +157,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
type = eap_type_from_string(part);
if (!type)
{
+ errno = 0;
type = strtoul(part, &end, 0);
if (*end != '\0' || errno)
{
@@ -166,6 +167,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
}
continue;
}
+ errno = 0;
vendor = strtoul(part, &end, 0);
if (*end != '\0' || errno)
{
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 68c3935b9..c992eb5ad 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -104,7 +104,10 @@ bool mark_from_string(const char *value, mark_t *mark)
{
mark->mask = 0xffffffff;
}
- /* apply the mask to ensure the value is in range */
- mark->value &= mark->mask;
+ if (!MARK_IS_UNIQUE(mark->value))
+ {
+ /* apply the mask to ensure the value is in range */
+ mark->value &= mark->mask;
+ }
return TRUE;
}
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 7944b9356..dbdf5cfe9 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -26,6 +26,7 @@
#include <collections/hashtable.h>
#include <utils/backtrace.h>
#include <selectors/traffic_selector.h>
+#include <crypto/proposal/proposal.h>
#define CHECKSUM_LIBRARY IPSEC_LIB_DIR"/libchecksum.so"
@@ -369,6 +370,8 @@ bool library_init(char *settings, const char *namespace)
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'R', traffic_selector_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
+ pfh->add_handler(pfh, 'P', proposal_printf_hook,
+ PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
this->objects = hashtable_create((hashtable_hash_t)hash,
(hashtable_equals_t)equals, 4);
diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c
index ebcc5dbdf..f9591c1a4 100644
--- a/src/libstrongswan/plugins/blowfish/bf_enc.c
+++ b/src/libstrongswan/plugins/blowfish/bf_enc.c
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h
index 1375a0aa9..e5f49280b 100644
--- a/src/libstrongswan/plugins/blowfish/bf_locl.h
+++ b/src/libstrongswan/plugins/blowfish/bf_locl.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h
index 79d23db6c..86c2ef366 100644
--- a/src/libstrongswan/plugins/blowfish/bf_pi.h
+++ b/src/libstrongswan/plugins/blowfish/bf_pi.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c
index ceec3b8d4..52a051890 100644
--- a/src/libstrongswan/plugins/blowfish/bf_skey.c
+++ b/src/libstrongswan/plugins/blowfish/bf_skey.c
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h
index 9aa30df4b..3c8f77a0f 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish.h
@@ -7,7 +7,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -32,7 +32,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index 1708e078d..6d8d1d709 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -6,7 +6,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
+ * the following conditions are adhered to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
@@ -31,7 +31,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index d236bd429..cb5064d90 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -13,7 +13,7 @@
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.
+ * the following conditions are adhered to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
@@ -34,7 +34,7 @@
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
+ * The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
@@ -309,7 +309,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
#endif
/* The changes to this macro may help or hinder, depending on the
- * compiler and the achitecture. gcc2 always seems to do well :-).
+ * compiler and the architecture. gcc2 always seems to do well :-).
* Inspired by Dana How <how@isl.stanford.edu>
* DO NOT use the alternative version on machines with 8 byte longs.
* It does not seem to work on the Alpha, even when DES_LONG is 4
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index aca232c86..241ef7d3b 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -936,7 +936,12 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this)
bool success = FALSE;
gmp_randinit_default(rstate);
- mpz_inits(k, r, g, y, n1, x, NULL);
+ mpz_init(k);
+ mpz_init(r);
+ mpz_init(g);
+ mpz_init(y);
+ mpz_init(n1);
+ mpz_init(x);
/* k = (d * e) - 1 */
mpz_mul(k, *this->d, this->e);
mpz_sub_ui(k, k, 1);
@@ -956,7 +961,7 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this)
{ /* generate random integer g in [0, n-1] */
mpz_urandomm(g, rstate, this->n);
/* y = g^r mod n */
- mpz_powm_sec(y, g, r, this->n);
+ mpz_powm(y, g, r, this->n);
/* try again if y == 1 or y == n-1 */
if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0)
{
diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.c b/src/libstrongswan/plugins/newhope/newhope_ke.c
index 28956d5fb..72b7e034c 100644
--- a/src/libstrongswan/plugins/newhope/newhope_ke.c
+++ b/src/libstrongswan/plugins/newhope/newhope_ke.c
@@ -246,7 +246,7 @@ static uint32_t* multiply_ntt_inv_poly(private_newhope_ke_t *this, uint32_t *b)
}
/**
- * Pack four 2-bit coefficents into one byte
+ * Pack four 2-bit coefficients into one byte
*/
static void pack_rec(private_newhope_ke_t *this, uint8_t *x, uint8_t *r)
{
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
index ca6899786..efcd2b30a 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
@@ -202,7 +202,7 @@ pkcs7_attributes_t *pkcs7_attributes_create(void)
}
/**
- * ASN.1 definition of the X.501 atttribute type
+ * ASN.1 definition of the X.501 attribute type
*/
static const asn1Object_t attributesObjects[] = {
{ 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 92a860615..156bd8656 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -76,7 +76,7 @@ struct plugin_loader_t {
* If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to
* load are determined via a load option in their respective plugin config
* section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>.
- * The oder is determined by the configured priority. If two plugins have
+ * The order is determined by the configured priority. If two plugins have
* the same priority the order as seen in list is preserved. Plugins not
* found in list are loaded first, in alphabetical order.
*
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 16ee0ecc7..1b68320df 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
enumerator_t *enumerator;
time_t revocation;
crl_reason_t reason;
- chunk_t serial;
+ chunk_t subject_serial, serial;
crl_t *crl = (crl_t*)cand;
if (base)
@@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
return best;
}
+ subject_serial = chunk_skip_zero(subject->get_serial(subject));
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
{
- if (chunk_equals(serial, subject->get_serial(subject)))
+ if (chunk_equals(subject_serial, chunk_skip_zero(serial)))
{
if (reason != CRL_REASON_CERTIFICATE_HOLD)
{
diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
index 1cd96d976..239487dae 100644
--- a/src/libstrongswan/processing/scheduler.h
+++ b/src/libstrongswan/processing/scheduler.h
@@ -45,7 +45,7 @@ typedef struct scheduler_t scheduler_t;
* in-between got slower, as the number of events grew larger (O(n)).
* For each connection there could be several events: IKE-rekey, NAT-keepalive,
* retransmissions, expire (half-open), and others. So a gateway that probably
- * has to handle thousands of concurrent connnections has to be able to queue a
+ * has to handle thousands of concurrent connections has to be able to queue a
* large number of events as fast as possible. Locking makes this even worse, to
* provide thread-safety, no events can be processed, while an event is queued,
* so making the insertion fast is even more important.
@@ -97,13 +97,13 @@ struct scheduler_t {
void (*schedule_job_ms) (scheduler_t *this, job_t *job, uint32_t ms);
/**
- * Adds a event to the queue, using an absolut time.
+ * Adds a event to the queue, using an absolute time.
*
* The passed timeval should be calculated based on the time_monotonic()
* function.
*
* @param job job to schedule
- * @param time absolut time to schedule job
+ * @param time absolute time to schedule job
*/
void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 07f5eb5f2..5737e7a17 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -47,6 +47,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_auth_cfg.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_proposal.c \
suites/test_crypto_factory.c \
suites/test_iv_gen.c \
suites/test_pen.c \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index f8f8ce83e..20cb27cf3 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -152,6 +152,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \
suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \
suites/libstrongswan_tests-test_hasher.$(OBJEXT) \
suites/libstrongswan_tests-test_crypter.$(OBJEXT) \
+ suites/libstrongswan_tests-test_proposal.$(OBJEXT) \
suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \
suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \
suites/libstrongswan_tests-test_pen.$(OBJEXT) \
@@ -535,6 +536,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \
suites/test_auth_cfg.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_proposal.c \
suites/test_crypto_factory.c \
suites/test_iv_gen.c \
suites/test_pen.c \
@@ -683,6 +685,8 @@ suites/libstrongswan_tests-test_hasher.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_crypter.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/libstrongswan_tests-test_proposal.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \
@@ -750,6 +754,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@
@@ -1199,6 +1204,20 @@ suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi`
+suites/libstrongswan_tests-test_proposal.o: suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c
+
+suites/libstrongswan_tests-test_proposal.obj: suites/test_proposal.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi`
+
suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po
diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c
index f1591794a..1a2f97d5f 100644
--- a/src/libcharon/tests/suites/test_proposal.c
+++ b/src/libstrongswan/tests/suites/test_proposal.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
#include "test_suite.h"
-#include <config/proposal.h>
+#include <crypto/proposal/proposal.h>
static struct {
protocol_id_t proto;
@@ -57,21 +57,27 @@ static struct {
{ PROTO_AH, "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" },
};
-START_TEST(test_create_from_string)
+static void assert_proposal_eq(proposal_t *proposal, char *expected)
{
- proposal_t *proposal;
char str[BUF_LEN];
- proposal = proposal_create_from_string(create_data[_i].proto,
- create_data[_i].proposal);
- if (!create_data[_i].expected)
+ if (!expected)
{
ck_assert(!proposal);
return;
}
snprintf(str, sizeof(str), "%P", proposal);
- ck_assert_str_eq(create_data[_i].expected, str);
- proposal->destroy(proposal);
+ ck_assert_str_eq(expected, str);
+}
+
+START_TEST(test_create_from_string)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(create_data[_i].proto,
+ create_data[_i].proposal);
+ assert_proposal_eq(proposal, create_data[_i].expected);
+ DESTROY_IF(proposal);
}
END_TEST
@@ -151,6 +157,43 @@ START_TEST(test_select_spi)
}
END_TEST
+START_TEST(test_promote_dh_group)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+ ck_assert(proposal->promote_dh_group(proposal, ECP_256_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_3072");
+ proposal->destroy(proposal);
+}
+END_TEST
+
+START_TEST(test_promote_dh_group_already_front)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+ ck_assert(proposal->promote_dh_group(proposal, MODP_3072_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256");
+ proposal->destroy(proposal);
+}
+END_TEST
+
+START_TEST(test_promote_dh_group_not_contained)
+{
+ proposal_t *proposal;
+
+ proposal = proposal_create_from_string(PROTO_IKE,
+ "aes128-sha256-modp3072-ecp256");
+
+ ck_assert(!proposal->promote_dh_group(proposal, MODP_2048_BIT));
+ assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256");
+ proposal->destroy(proposal);
+}
+END_TEST
+
Suite *proposal_suite_create()
{
Suite *s;
@@ -167,5 +210,11 @@ Suite *proposal_suite_create()
tcase_add_test(tc, test_select_spi);
suite_add_tcase(s, tc);
+ tc = tcase_create("promote_dh_group");
+ tcase_add_test(tc, test_promote_dh_group);
+ tcase_add_test(tc, test_promote_dh_group_already_front);
+ tcase_add_test(tc, test_promote_dh_group_not_contained);
+ suite_add_tcase(s, tc);
+
return s;
}
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index 353010aaf..b423d7d2d 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -877,8 +877,23 @@ static struct {
{"/0xff", TRUE, { 0, 0xff }},
{"/x", FALSE, { 0 }},
{"x/x", FALSE, { 0 }},
- {"0xffffffff/0x0000ffff", TRUE, { 0x0000ffff, 0x0000ffff }},
- {"0xffffffff/0xffffffff", TRUE, { 0xffffffff, 0xffffffff }},
+ {"0xfffffff0/0x0000ffff", TRUE, { 0x0000fff0, 0x0000ffff }},
+ {"%unique", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique/", TRUE, { MARK_UNIQUE, 0 }},
+ {"%unique/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }},
+ {"%unique/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique0xffffffffff", FALSE, { 0, 0 }},
+ {"0xffffffff/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }},
+ {"0xffffffff/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }},
+ {"%unique-dir", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-dir/", TRUE, { MARK_UNIQUE_DIR, 0 }},
+ {"%unique-dir/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }},
+ {"%unique-dir/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-dir0xffffffff", FALSE, { 0, 0 }},
+ {"0xfffffffe/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }},
+ {"0xfffffffe/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }},
+ {"%unique-/0xffffffff", FALSE, { 0, 0 }},
+ {"%unique-foo/0xffffffff", FALSE, { 0, 0 }},
};
START_TEST(test_mark_from_string)
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 525bdeb94..5fab227f2 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create)
TEST_SUITE(auth_cfg_suite_create)
TEST_SUITE(hasher_suite_create)
TEST_SUITE(crypter_suite_create)
+TEST_SUITE(proposal_suite_create)
TEST_SUITE(crypto_factory_suite_create)
TEST_SUITE_DEPEND(iv_gen_suite_create, RNG, RNG_STRONG)
TEST_SUITE(pen_suite_create)
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
index d3ab0f3d9..bb384e669 100644
--- a/src/libstrongswan/threading/semaphore.h
+++ b/src/libstrongswan/threading/semaphore.h
@@ -29,7 +29,7 @@ typedef struct semaphore_t semaphore_t;
* A semaphore is basically an integer whose value is never allowed to be
* lower than 0. Two operations can be performed on it: increment the
* value by one, and decrement the value by one. If the value is currently
- * zero, then the decrement operation will blcok until the value becomes
+ * zero, then the decrement operation will block until the value becomes
* greater than zero.
*/
struct semaphore_t {
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 8f4b7efff..3a7984098 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -478,7 +478,7 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
}
/**
- * convert a signle hex character to its binary value
+ * convert a single hex character to its binary value
*/
static char hex2bin(char hex)
{
@@ -859,7 +859,7 @@ static inline uint64_t siplast(size_t len, u_char *pos)
}
/**
- * Caculate SipHash-2-4 with an optional first block given as argument.
+ * Calculate SipHash-2-4 with an optional first block given as argument.
*/
static uint64_t chunk_mac_inc(chunk_t chunk, u_char *key, uint64_t m)
{
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
index 7dd219db8..69570e9c9 100644
--- a/src/libtls/tls_alert.c
+++ b/src/libtls/tls_alert.c
@@ -106,7 +106,7 @@ struct private_tls_alert_t {
bool consumed;
/**
- * Fatal alert discription
+ * Fatal alert description
*/
tls_alert_desc_t desc;
};
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 7f7742e88..0ec2f5cbe 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -376,7 +376,7 @@ struct private_tls_crypto_t {
tls_cache_t *cache;
/**
- * All handshake data concatentated
+ * All handshake data concatenated
*/
chunk_t handshake;
diff --git a/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h b/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h
index 3477fa74e..cf6110868 100644
--- a/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h
+++ b/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h
@@ -28,7 +28,7 @@ typedef struct imc_imv_msg_t imc_imv_msg_t;
#include <tncif.h>
/**
- * Classs representing the PB-PA message type.
+ * Class representing the PB-PA message type.
*/
struct imc_imv_msg_t {
diff --git a/src/libtpmtss/Makefile.am b/src/libtpmtss/Makefile.am
index 5f3a97a99..1b3a9706f 100644
--- a/src/libtpmtss/Makefile.am
+++ b/src/libtpmtss/Makefile.am
@@ -48,5 +48,3 @@ if MONOLITHIC
libtpmtss_la_LIBADD += plugins/tpm/libstrongswan-tpm.la
endif
endif
-
-
diff --git a/src/libtpmtss/plugins/tpm/Makefile.am b/src/libtpmtss/plugins/tpm/Makefile.am
index 281281022..27db5cc01 100644
--- a/src/libtpmtss/plugins/tpm/Makefile.am
+++ b/src/libtpmtss/plugins/tpm/Makefile.am
@@ -15,6 +15,7 @@ endif
libstrongswan_tpm_la_SOURCES = \
tpm_plugin.h tpm_plugin.c \
+ tpm_cert.h tpm_cert.c \
tpm_private_key.h tpm_private_key.c \
tpm_rng.h tpm_rng.c
diff --git a/src/libtpmtss/plugins/tpm/Makefile.in b/src/libtpmtss/plugins/tpm/Makefile.in
index a12c18a35..e03e73656 100644
--- a/src/libtpmtss/plugins/tpm/Makefile.in
+++ b/src/libtpmtss/plugins/tpm/Makefile.in
@@ -138,8 +138,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
@MONOLITHIC_FALSE@libstrongswan_tpm_la_DEPENDENCIES = \
@MONOLITHIC_FALSE@ $(top_builddir)/src/libtpmtss/libtpmtss.la
-am_libstrongswan_tpm_la_OBJECTS = tpm_plugin.lo tpm_private_key.lo \
- tpm_rng.lo
+am_libstrongswan_tpm_la_OBJECTS = tpm_plugin.lo tpm_cert.lo \
+ tpm_private_key.lo tpm_rng.lo
libstrongswan_tpm_la_OBJECTS = $(am_libstrongswan_tpm_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -465,6 +465,7 @@ AM_CFLAGS = \
libstrongswan_tpm_la_SOURCES = \
tpm_plugin.h tpm_plugin.c \
+ tpm_cert.h tpm_cert.c \
tpm_private_key.h tpm_private_key.c \
tpm_rng.h tpm_rng.c
@@ -558,6 +559,7 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_cert.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_plugin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_private_key.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_rng.Plo@am__quote@
diff --git a/src/libtpmtss/plugins/tpm/tpm_cert.c b/src/libtpmtss/plugins/tpm/tpm_cert.c
new file mode 100644
index 000000000..248da7e53
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_cert.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule für Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tpm_cert.h"
+
+#include <tpm_tss.h>
+
+#include <utils/debug.h>
+
+
+/**
+ * See header.
+ */
+certificate_t *tpm_cert_load(certificate_type_t type, va_list args)
+{
+ tpm_tss_t *tpm;
+ chunk_t keyid = chunk_empty, pin = chunk_empty, data = chunk_empty;
+ certificate_t *cert;
+ char handle_str[4];
+ size_t len;
+ uint32_t hierarchy = 0x40000001; /* TPM_RH_OWNER */
+ uint32_t handle;
+ bool success;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_PKCS11_KEYID:
+ keyid = va_arg(args, chunk_t);
+ continue;
+ case BUILD_PKCS11_SLOT:
+ hierarchy = va_arg(args, int);
+ continue;
+ case BUILD_PKCS11_MODULE:
+ va_arg(args, char*);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ /* convert keyid into 32 bit TPM key object handle */
+ if (!keyid.len)
+ {
+ return NULL;
+ }
+ len = min(keyid.len, 4);
+ memset(handle_str, 0x00, 4);
+ memcpy(handle_str + 4 - len, keyid.ptr + keyid.len - len, len);
+ handle = untoh32(handle_str);
+
+ /* try to find a TPM 2.0 */
+ tpm = tpm_tss_probe(TPM_VERSION_2_0);
+ if (!tpm)
+ {
+ DBG1(DBG_LIB, "no TPM 2.0 found");
+ return NULL;
+ }
+ success = tpm->get_data(tpm, hierarchy, handle, pin, &data);
+ tpm->destroy(tpm);
+
+ if (!success)
+ {
+ DBG1(DBG_LIB, "loading certificate from TPM NV index 0x%08x failed",
+ handle);
+ return NULL;
+ }
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB_ASN1_DER, data, BUILD_END);
+ free(data.ptr);
+
+ if (!cert)
+ {
+ DBG1(DBG_LIB, "parsing certificate from TPM NV index 0x%08x failed",
+ handle);
+ return NULL;
+ }
+ DBG1(DBG_LIB, "loaded certificate from TPM NV index 0x%08x", handle);
+
+ return cert;
+}
diff --git a/src/libtpmtss/plugins/tpm/tpm_cert.h b/src/libtpmtss/plugins/tpm/tpm_cert.h
new file mode 100644
index 000000000..a6cb34554
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_cert.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tpm_cert tpm_cert
+ * @{ @ingroup tpm
+ */
+
+#ifndef TPM_CERT_H_
+#define TPM_CERT_H_
+
+#include <credentials/certificates/certificate.h>
+
+/**
+ * Load a specific certificate from a TPM
+ *
+ * Requires a BUILD_PKCS11_KEYID argument, and optionally a BUILD_PKCS11_SLOT
+ * to designate the NV storage hierarchy.
+ *
+ * @param type certificate type, must be CERT_X509
+ * @param args variable argument list, containing BUILD_PKCS11_KEYID.
+ * @return loaded certificate, or NULL on failure
+ */
+certificate_t *tpm_cert_load(certificate_type_t type, va_list args);
+
+#endif /** TPM_CERT_H_ @}*/
diff --git a/src/libtpmtss/plugins/tpm/tpm_plugin.c b/src/libtpmtss/plugins/tpm/tpm_plugin.c
index b9a4c12a8..e98899852 100644
--- a/src/libtpmtss/plugins/tpm/tpm_plugin.c
+++ b/src/libtpmtss/plugins/tpm/tpm_plugin.c
@@ -15,6 +15,7 @@
#include "tpm_plugin.h"
#include "tpm_private_key.h"
+#include "tpm_cert.h"
#include "tpm_rng.h"
#include <library.h>
@@ -50,13 +51,19 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(PRIVKEY, tpm_private_key_connect, FALSE),
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
};
- static plugin_feature_t f[countof(f_rng) + countof(f_privkey)] = {};
-
+ static plugin_feature_t f_cert[] = {
+ PLUGIN_REGISTER(CERT_DECODE, tpm_cert_load, FALSE),
+ PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
+ PLUGIN_DEPENDS(CERT_DECODE, CERT_X509),
+ };
+ static plugin_feature_t f[countof(f_rng) + countof(f_privkey) +
+ countof(f_cert)] = {};
static int count = 0;
if (!count)
{
plugin_features_add(f, f_privkey, countof(f_privkey), &count);
+ plugin_features_add(f, f_cert, countof(f_cert), &count);
if (lib->settings->get_bool(lib->settings,
"%s.plugins.tpm.use_rng", FALSE, lib->ns))
diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h
index f408d0440..bcb7ab949 100644
--- a/src/libtpmtss/tpm_tss.h
+++ b/src/libtpmtss/tpm_tss.h
@@ -144,6 +144,18 @@ struct tpm_tss_t {
bool (*get_random)(tpm_tss_t *this, size_t bytes, uint8_t *buffer);
/**
+ * Get a data blob from TPM NV store using its object handle (TPM 2.0 only)
+ *
+ * @param handle object handle of TPM key to be used for signature
+ * @param hierarchy hierarchy the TPM key object is attached to
+ * @param pin PIN code or empty chunk
+ * @param data returns data blob
+ * @return TRUE if data retrieval succeeded
+ */
+ bool (*get_data)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
+ chunk_t pin, chunk_t *data);
+
+ /**
* Destroy a tpm_tss_t.
*/
void (*destroy)(tpm_tss_t *this);
diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c
index d5bc2b84f..6ed57af9d 100644
--- a/src/libtpmtss/tpm_tss_trousers.c
+++ b/src/libtpmtss/tpm_tss_trousers.c
@@ -595,6 +595,13 @@ METHOD(tpm_tss_t, get_random, bool,
return FALSE;
}
+METHOD(tpm_tss_t, get_data, bool,
+ private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
+ chunk_t pin, chunk_t *data)
+{
+ return FALSE;
+}
+
METHOD(tpm_tss_t, destroy, void,
private_tpm_tss_trousers_t *this)
{
@@ -639,6 +646,7 @@ tpm_tss_t *tpm_tss_trousers_create()
.quote = _quote,
.sign = _sign,
.get_random = _get_random,
+ .get_data = _get_data,
.destroy = _destroy,
},
.load_aik = _load_aik,
diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c
index 4c0d95fe5..8b91fb44a 100644
--- a/src/libtpmtss/tpm_tss_tss2.c
+++ b/src/libtpmtss/tpm_tss_tss2.c
@@ -150,14 +150,56 @@ static bool is_supported_alg(private_tpm_tss_tss2_t *this, TPM_ALG_ID alg_id)
static bool get_algs_capability(private_tpm_tss_tss2_t *this)
{
TPMS_CAPABILITY_DATA cap_data;
+ TPMS_TAGGED_PROPERTY tp;
TPMI_YES_NO more_data;
TPM_ALG_ID alg;
- uint32_t rval, i;
+ uint32_t rval, i, offset, revision = 0, year = 0;
size_t len = BUF_LEN;
- char buf[BUF_LEN];
+ char buf[BUF_LEN], manufacturer[5], vendor_string[17];
char *pos = buf;
int written;
+ /* get fixed properties */
+ rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_TPM_PROPERTIES,
+ PT_FIXED, MAX_TPM_PROPERTIES, &more_data, &cap_data, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS, "%s GetCapability failed for TPM_CAP_TPM_PROPERTIES: 0x%06x",
+ LABEL, rval);
+ return FALSE;
+ }
+ memset(manufacturer, '\0', sizeof(manufacturer));
+ memset(vendor_string, '\0', sizeof(vendor_string));
+
+ /* print fixed properties */
+ for (i = 0; i < cap_data.data.tpmProperties.count; i++)
+ {
+ tp = cap_data.data.tpmProperties.tpmProperty[i];
+ switch (tp.property)
+ {
+ case TPM_PT_REVISION:
+ revision = tp.value;
+ break;
+ case TPM_PT_YEAR:
+ year = tp.value;
+ break;
+ case TPM_PT_MANUFACTURER:
+ htoun32(manufacturer, tp.value);
+ break;
+ case TPM_PT_VENDOR_STRING_1:
+ case TPM_PT_VENDOR_STRING_2:
+ case TPM_PT_VENDOR_STRING_3:
+ case TPM_PT_VENDOR_STRING_4:
+ offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1);
+ htoun32(vendor_string + offset, tp.value);
+ break;
+ default:
+ break;
+ }
+ }
+ DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
+ vendor_string, (float)revision/100, year);
+
/* get supported algorithms */
rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
0, TPM_PT_ALGORITHM_SET, &more_data, &cap_data, 0);
@@ -433,6 +475,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
{
DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key "
"failed", LABEL);
+ return chunk_empty;
}
break;
}
@@ -563,8 +606,93 @@ METHOD(tpm_tss_t, extend_pcr, bool,
private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value,
chunk_t data, hash_algorithm_t alg)
{
- /* TODO */
- return FALSE;
+ uint32_t rval;
+ TPM_ALG_ID alg_id;
+ TPML_DIGEST_VALUES digest_values;
+ TPMS_AUTH_COMMAND session_data_cmd;
+ TPMS_AUTH_RESPONSE session_data_rsp;
+ TSS2_SYS_CMD_AUTHS sessions_data_cmd;
+ TSS2_SYS_RSP_AUTHS sessions_data_rsp;
+ TPMS_AUTH_COMMAND *session_data_cmd_array[1];
+ TPMS_AUTH_RESPONSE *session_data_rsp_array[1];
+
+ session_data_cmd_array[0] = &session_data_cmd;
+ session_data_rsp_array[0] = &session_data_rsp;
+
+ sessions_data_cmd.cmdAuths = &session_data_cmd_array[0];
+ sessions_data_rsp.rspAuths = &session_data_rsp_array[0];
+
+ sessions_data_cmd.cmdAuthsCount = 1;
+ sessions_data_rsp.rspAuthsCount = 1;
+
+ session_data_cmd.sessionHandle = TPM_RS_PW;
+ session_data_cmd.hmac.t.size = 0;
+ session_data_cmd.nonce.t.size = 0;
+
+ *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
+
+ /* check if hash algorithm is supported by TPM */
+ alg_id = hash_alg_to_tpm_alg_id(alg);
+ if (!is_supported_alg(this, alg_id))
+ {
+ DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM",
+ LABEL, hash_algorithm_short_names, alg);
+ return FALSE;
+ }
+
+ digest_values.count = 1;
+ digest_values.digests[0].hashAlg = alg_id;
+
+ switch (alg)
+ {
+ case HASH_SHA1:
+ if (data.len != HASH_SIZE_SHA1)
+ {
+ return FALSE;
+ }
+ memcpy(digest_values.digests[0].digest.sha1, data.ptr,
+ HASH_SIZE_SHA1);
+ break;
+ case HASH_SHA256:
+ if (data.len != HASH_SIZE_SHA256)
+ {
+ return FALSE;
+ }
+ memcpy(digest_values.digests[0].digest.sha256, data.ptr,
+ HASH_SIZE_SHA256);
+ break;
+ case HASH_SHA384:
+ if (data.len != HASH_SIZE_SHA384)
+ {
+ return FALSE;
+ }
+ memcpy(digest_values.digests[0].digest.sha384, data.ptr,
+ HASH_SIZE_SHA384);
+ break;
+ case HASH_SHA512:
+ if (data.len != HASH_SIZE_SHA512)
+ {
+ return FALSE;
+ }
+ memcpy(digest_values.digests[0].digest.sha512, data.ptr,
+ HASH_SIZE_SHA512);
+ break;
+ default:
+ return FALSE;
+ }
+
+ /* extend PCR */
+ rval = Tss2_Sys_PCR_Extend(this->sys_context, pcr_num, &sessions_data_cmd,
+ &digest_values, &sessions_data_rsp);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS, "%s PCR %02u could not be extended: 0x%06x",
+ LABEL, pcr_num, rval);
+ return FALSE;
+ }
+
+ /* get updated PCR value */
+ return read_pcr(this, pcr_num, pcr_value, alg);
}
METHOD(tpm_tss_t, quote, bool,
@@ -913,6 +1041,78 @@ METHOD(tpm_tss_t, get_random, bool,
return TRUE;
}
+METHOD(tpm_tss_t, get_data, bool,
+ private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
+ chunk_t pin, chunk_t *data)
+{
+ uint16_t nv_size, nv_offset = 0;
+ uint32_t rval;
+
+ TPM2B_NAME nv_name = { { sizeof(TPM2B_NAME)-2, } };
+ TPM2B_NV_PUBLIC nv_public = { { 0, } };
+ TPM2B_MAX_NV_BUFFER nv_data = { { sizeof(TPM2B_MAX_NV_BUFFER)-2, } };
+ TPMS_AUTH_COMMAND session_data_cmd;
+ TPMS_AUTH_RESPONSE session_data_rsp;
+ TSS2_SYS_CMD_AUTHS sessions_data_cmd;
+ TSS2_SYS_RSP_AUTHS sessions_data_rsp;
+ TPMS_AUTH_COMMAND *session_data_cmd_array[1];
+ TPMS_AUTH_RESPONSE *session_data_rsp_array[1];
+
+ /* get size of NV object */
+ rval = Tss2_Sys_NV_ReadPublic(this->sys_context, handle, 0, &nv_public,
+ &nv_name, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_NV_ReadPublic failed: 0x%06x", LABEL, rval);
+ return FALSE;
+ }
+ nv_size = nv_public.t.nvPublic.dataSize;
+ *data = chunk_alloc(nv_size);
+
+ /*prepare NV read session */
+ session_data_cmd_array[0] = &session_data_cmd;
+ session_data_rsp_array[0] = &session_data_rsp;
+
+ sessions_data_cmd.cmdAuths = &session_data_cmd_array[0];
+ sessions_data_rsp.rspAuths = &session_data_rsp_array[0];
+
+ sessions_data_cmd.cmdAuthsCount = 1;
+ sessions_data_rsp.rspAuthsCount = 1;
+
+ session_data_cmd.sessionHandle = TPM_RS_PW;
+ session_data_cmd.nonce.t.size = 0;
+ session_data_cmd.hmac.t.size = 0;
+
+ if (pin.len > 0)
+ {
+ session_data_cmd.hmac.t.size = min(sizeof(session_data_cmd.hmac.t) - 2,
+ pin.len);
+ memcpy(session_data_cmd.hmac.t.buffer, pin.ptr,
+ session_data_cmd.hmac.t.size);
+ }
+ *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
+
+ /* read NV data an NV buffer block at a time */
+ while (nv_size > 0)
+ {
+ rval = Tss2_Sys_NV_Read(this->sys_context, hierarchy, handle,
+ &sessions_data_cmd, min(nv_size, MAX_NV_BUFFER_SIZE),
+ nv_offset, &nv_data, &sessions_data_rsp);
+
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_NV_Read failed: 0x%06x", LABEL, rval);
+ chunk_free(data);
+ return FALSE;
+ }
+ memcpy(data->ptr + nv_offset, nv_data.t.buffer, nv_data.t.size);
+ nv_offset += nv_data.t.size;
+ nv_size -= nv_data.t.size;
+ }
+
+ return TRUE;
+}
+
METHOD(tpm_tss_t, destroy, void,
private_tpm_tss_tss2_t *this)
{
@@ -939,6 +1139,7 @@ tpm_tss_t *tpm_tss_tss2_create()
.quote = _quote,
.sign = _sign,
.get_random = _get_random,
+ .get_data = _get_data,
.destroy = _destroy,
},
);
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 80210166a..2ab3e61fc 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -60,7 +60,8 @@ static int print()
credential_type_t type = CRED_CERTIFICATE;
int subtype = CERT_X509;
void *cred;
- char *arg, *file = NULL;
+ char *arg, *file = NULL, *keyid = NULL;
+ chunk_t chunk;
while (TRUE)
{
@@ -126,6 +127,9 @@ static int print()
case 'i':
file = arg;
continue;
+ case 'x':
+ keyid = arg;
+ continue;
case EOF:
break;
default:
@@ -133,15 +137,20 @@ static int print()
}
break;
}
- if (file)
+ if (keyid)
+ {
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ cred = lib->creds->create(lib->creds, type, subtype,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
+ else if (file)
{
cred = lib->creds->create(lib->creds, type, subtype,
BUILD_FROM_FILE, file, BUILD_END);
}
else
{
- chunk_t chunk;
-
set_file_mode(stdin, CERT_ASN1_DER);
if (!chunk_from_fd(0, &chunk))
{
@@ -187,10 +196,12 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"},
+ {"[--in file|--keyid hex] "
+ "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
+ {"keyid", 'x', 1, "smartcard or TPM object handle"},
{"type", 't', 1, "type of credential, default: x509"},
}
});
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index ad85fb381..09b8a10c3 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -7,7 +7,9 @@ pki \-\-print \- Print a credential (key, certificate etc.) in human readable fo
.SH "SYNOPSIS"
.
.SY pki\ \-\-print
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
.OP \-\-type type
.OP \-\-debug level
.YS
@@ -43,6 +45,10 @@ Read command line options from \fIfile\fR.
.BI "\-i, \-\-in " file
Input file. If not given the input is read from \fISTDIN\fR.
.TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key or certificate object handle in hex format with
+an optional 0x prefix.
+.TP
.BI "\-t, \-\-type " type
Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in
index 795054c80..3e14cbe37 100644
--- a/src/pt-tls-client/pt-tls-client.1.in
+++ b/src/pt-tls-client/pt-tls-client.1.in
@@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information
.BI \-\-connect
.IR hostname |\fIaddress
.OP \-\-port hex
-.RB [ \-\-cert
+.RB [ \-\-certid
+.IR hex |\fB\-\-cert
.IR file ]+
.RB [ \-\-keyid
.IR hex |\fB\-\-key
@@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271.
Set the path to an X.509 certificate file. This option can be repeated to load
multiple client and CA certificates.
.TP
+.BI "\-X, \-\-certid " hex
+Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
+Platform Module.
+.TP
.BI "\-k, \-\-key " file
Set the path to the client's PKCS#1 or PKCS#8 private key file
.TP
@@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file
Define the type of the private key if stored in PKCS#1 format. Can be omitted
with PKCS#8 keys.
.TP
-.BI "\-x, \-\-keyid " hex
+.BI "\-K, \-\-keyid " hex
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
Platform Module.
.TP
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index 841724eb3..d31e16220 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -42,7 +42,7 @@ static void usage(FILE *out)
{
fprintf(out,
"Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
- " [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
+ " [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
" [--key-type rsa|ecdsa] [--client <client-id>]\n"
" [--secret <password>] [--mutual] [--quiet]\n"
" [--debug <level>] [--options <filename>]\n");
@@ -104,15 +104,26 @@ static mem_cred_t *creds;
/**
* Load certificate from file
*/
-static bool load_certificate(char *filename)
+static bool load_certificate(char *certid, char *filename)
{
certificate_t *cert;
+ chunk_t chunk;
- cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, filename, BUILD_END);
+ if (certid)
+ {
+ chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ }
+ else
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, filename, BUILD_END);
+ }
if (!cert)
{
- DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
+ DBG1(DBG_TLS, "loading certificate from '%s' failed",
+ certid ? certid : filename);
return FALSE;
}
creds->add_cert(creds, TRUE, cert);
@@ -282,6 +293,7 @@ int main(int argc, char *argv[])
{"client", required_argument, NULL, 'i' },
{"secret", required_argument, NULL, 's' },
{"port", required_argument, NULL, 'p' },
+ {"certid", required_argument, NULL, 'X' },
{"cert", required_argument, NULL, 'x' },
{"keyid", required_argument, NULL, 'K' },
{"key", required_argument, NULL, 'k' },
@@ -301,8 +313,14 @@ int main(int argc, char *argv[])
case 'h': /* --help */
usage(stdout);
return 0;
+ case 'X': /* --certid <hex> */
+ if (!load_certificate(optarg, NULL))
+ {
+ return 1;
+ }
+ continue;
case 'x': /* --cert <file> */
- if (!load_certificate(optarg))
+ if (!load_certificate(NULL, optarg))
{
return 1;
}
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 19e7050da..f692e9966 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -84,8 +84,8 @@ CALLBACK(children_sn, int,
{
hashtable_t *child;
char *mode, *interface, *priority;
- char *rekey_time, *rekey_bytes, *rekey_packets;
- bool no_time, no_bytes, no_packets, or = FALSE;
+ char *rekey_time, *rekey_bytes, *rekey_packets, *dpd_action, *dpd_delay;
+ bool no_time, no_bytes, no_packets, no_dpd, or = FALSE;
int ret;
child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
@@ -98,14 +98,18 @@ CALLBACK(children_sn, int,
rekey_time = child->get(child, "rekey_time");
rekey_bytes = child->get(child, "rekey_bytes");
rekey_packets = child->get(child, "rekey_packets");
+ dpd_action = child->get(child, "dpd_action");
+ dpd_delay = ike->get(ike, "dpd_delay");
+
no_time = streq(rekey_time, "0");
no_bytes = streq(rekey_bytes, "0");
no_packets = streq(rekey_packets, "0");
+ no_dpd = streq(dpd_delay, "0");
if (strcaseeq(mode, "PASS") || strcaseeq(mode, "DROP") ||
(no_time && no_bytes && no_packets))
{
- printf("no rekeying\n");
+ printf("no rekeying");
}
else
{
@@ -124,8 +128,12 @@ CALLBACK(children_sn, int,
{
printf("%s %s packets", or ? " or" : "", rekey_packets);
}
- printf("\n");
}
+ if (!no_dpd)
+ {
+ printf(", dpd action is %s", dpd_action);
+ }
+ printf("\n");
printf(" local: %s\n", child->get(child, "local-ts"));
printf(" remote: %s\n", child->get(child, "remote-ts"));
@@ -153,7 +161,7 @@ CALLBACK(conn_sn, int,
if (streq(name, "children"))
{
- return vici_parse_cb(res, children_sn, NULL, NULL, NULL);
+ return vici_parse_cb(res, children_sn, NULL, NULL, ike);
}
if (strpfx(name, "local") || strpfx(name, "remote"))
{
@@ -225,11 +233,17 @@ CALLBACK(conn_list, int,
CALLBACK(conns, int,
void *null, vici_res_t *res, char *name)
{
- char *version, *reauth_time, *rekey_time;
+ int ret;
+ char *version, *reauth_time, *rekey_time, *dpd_delay;
+ hashtable_t *ike;
version = vici_find_str(res, "", "%s.version", name);
- reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
- rekey_time = vici_find_str(res, "", "%s.rekey_time", name);
+ reauth_time = vici_find_str(res, "0", "%s.reauth_time", name);
+ rekey_time = vici_find_str(res, "0", "%s.rekey_time", name);
+ dpd_delay = vici_find_str(res, "0", "%s.dpd_delay", name);
+
+ ike = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
+ free(ike->put(ike,"dpd_delay", strdup(dpd_delay)));
printf("%s: %s, ", name, version);
if (streq(version, "IKEv1"))
@@ -247,22 +261,26 @@ CALLBACK(conns, int,
{
printf("reauthentication every %ss", reauth_time);
}
- if (streq(version, "IKEv1"))
- {
- printf("\n");
- }
- else
+ if (!streq(version, "IKEv1"))
{
if (streq(rekey_time, "0"))
{
- printf(", no rekeying\n");
+ printf(", no rekeying");
}
else
{
- printf(", rekeying every %ss\n", rekey_time);
+ printf(", rekeying every %ss", rekey_time);
}
}
- return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
+ if (!streq(dpd_delay, "0"))
+ {
+ printf(", dpd delay %ss", dpd_delay);
+ }
+ printf("\n");
+
+ ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike);
+ free_hashtable(ike);
+ return ret;
}
CALLBACK(list_cb, void,
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 8947866f5..d82c0f98e 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -75,15 +75,15 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value)
}
/**
- * Translate sletting key/values from a section into vici key-values/lists
+ * Translate sletting key/values from a section enumerator into vici
+ * key-values/lists. Destroys the enumerator.
*/
-static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_key_values(vici_req_t *req, enumerator_t *enumerator)
{
- enumerator_t *enumerator;
char *key, *value;
bool ret = TRUE;
- enumerator = cfg->create_key_value_enumerator(cfg, section);
+
while (enumerator->enumerate(enumerator, &key, &value))
{
if (streq(key, "cacert"))
@@ -115,17 +115,17 @@ static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
static bool load_authority(vici_conn_t *conn, settings_t *cfg,
char *section, command_format_options_t format)
{
+ enumerator_t *enumerator;
vici_req_t *req;
vici_res_t *res;
bool ret = TRUE;
- char buf[128];
-
- snprintf(buf, sizeof(buf), "%s.%s", "authorities", section);
req = vici_begin("load-authority");
vici_begin_section(req, section);
- if (!add_key_values(req, cfg, buf))
+ enumerator = cfg->create_key_value_enumerator(cfg, "authorities.%s",
+ section);
+ if (!add_key_values(req, enumerator))
{
vici_free_req(req);
return FALSE;
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index d8541061e..15ef2f151 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -337,7 +337,7 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
credential_type_t credtype;
int subtype;
enumerator_t *enumerator, *secrets;
- char *section, *key, *value, *file, buf[128];
+ char *section, *key, *value, *file;
shared_key_t *shared;
void *cred = NULL;
mem_cred_t *mem = NULL;
@@ -356,8 +356,8 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
file = ctx->cfg->get_str(ctx->cfg, "secrets.%s.file", NULL, section);
if (file && strcaseeq(file, name))
{
- snprintf(buf, sizeof(buf), "secrets.%s", section);
- secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
+ secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg,
+ "secrets.%s", section);
while (secrets->enumerate(secrets, &key, &value))
{
if (strpfx(key, "secret"))
@@ -657,7 +657,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
vici_req_t *req;
vici_res_t *res;
chunk_t data;
- char *key, *value, buf[128], *type = NULL;
+ char *key, *value, *type = NULL;
bool ret = TRUE;
int i;
char *types[] = {
@@ -720,8 +720,8 @@ static bool load_secret(load_ctx_t *ctx, char *section)
chunk_clear(&data);
vici_begin_list(req, "owners");
- snprintf(buf, sizeof(buf), "secrets.%s", section);
- enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
+ enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, "secrets.%s",
+ section);
while (enumerator->enumerate(enumerator, &key, &value))
{
if (strpfx(key, "id"))
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index 2b9fa2d42..feb8d3a52 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -41,14 +41,13 @@ static void add_list_key(vici_req_t *req, char *key, char *value)
}
/**
- * Translate setting key/values from a section into vici key-values/lists
+ * Translate setting key/values from a section enumerator into vici
+ * key-values/lists. Destroys the enumerator.
*/
-static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static void add_key_values(vici_req_t *req, enumerator_t *enumerator)
{
- enumerator_t *enumerator;
char *key, *value;
- enumerator = cfg->create_key_value_enumerator(cfg, section);
while (enumerator->enumerate(enumerator, &key, &value))
{
/* pool subnet is encoded as key/value, all other attributes as list */
@@ -70,17 +69,16 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
static bool load_pool(vici_conn_t *conn, settings_t *cfg,
char *section, command_format_options_t format)
{
+ enumerator_t *enumerator;
vici_req_t *req;
vici_res_t *res;
bool ret = TRUE;
- char buf[128];
-
- snprintf(buf, sizeof(buf), "%s.%s", "pools", section);
req = vici_begin("load-pool");
vici_begin_section(req, section);
- add_key_values(req, cfg, buf);
+ enumerator = cfg->create_key_value_enumerator(cfg, "pools.%s", section);
+ add_key_values(req, enumerator);
vici_end_section(req);
res = vici_submit(req, conn);
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 6c73d4775..637661083 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -726,9 +726,10 @@ trustchain validation, append hash algorithms to
.RI "" "pubkey" ""
or a key strength
definition (for example
-.RI "" "pubkey\-sha1\-sha256" ""
+.RI "" "pubkey\-sha256\-sha512" ","
+.RI "" "rsa\-2048\-sha256\-sha384\-sha512" ""
or
-.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")."
+.RI "" "rsa\-2048\-sha256\-ecdsa\-256\-sha256\-sha384" ")."
Unless disabled in
.RB "" "strongswan.conf" "(5),"
or explicit IKEv2 signature constraints are configured
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 2dd9ea374..5675b31ca 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -587,8 +587,9 @@ connections.<conn>.remote<suffix>.auth = pubkey
key type followed by the minimum strength in bits (for example _ecdsa-384_
or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
for trustchain validation, append hash algorithms to _pubkey_ or a key
- strength definition (for example _pubkey-sha1-sha256_ or
- _rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+ strength definition (for example _pubkey-sha256-sha512_,
+ _rsa-2048-sha256-sha384-sha512_ or
+ _rsa-2048-sha256-ecdsa-256-sha256-sha384_).
Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
constraints are configured (refer to the description of the **local**
section's **auth** keyword for details), such key types and hash algorithms
diff --git a/src/tpm_extendpcr/Makefile.am b/src/tpm_extendpcr/Makefile.am
new file mode 100644
index 000000000..2e2474418
--- /dev/null
+++ b/src/tpm_extendpcr/Makefile.am
@@ -0,0 +1,14 @@
+bin_PROGRAMS = tpm_extendpcr
+
+tpm_extendpcr_SOURCES = tpm_extendpcr.c
+
+tpm_extendpcr_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtpmtss/libtpmtss.la
+
+tpm_extendpcr.o : $(top_builddir)/config.status
+
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtpmtss \
+ -DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/tpm_extendpcr/Makefile.in b/src/tpm_extendpcr/Makefile.in
new file mode 100644
index 000000000..0ce681c69
--- /dev/null
+++ b/src/tpm_extendpcr/Makefile.in
@@ -0,0 +1,769 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+bin_PROGRAMS = tpm_extendpcr$(EXEEXT)
+subdir = src/tpm_extendpcr
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(bindir)"
+PROGRAMS = $(bin_PROGRAMS)
+am_tpm_extendpcr_OBJECTS = tpm_extendpcr.$(OBJEXT)
+tpm_extendpcr_OBJECTS = $(am_tpm_extendpcr_OBJECTS)
+tpm_extendpcr_DEPENDENCIES = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtpmtss/libtpmtss.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(tpm_extendpcr_SOURCES)
+DIST_SOURCES = $(tpm_extendpcr_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FUZZING_LDFLAGS = @FUZZING_LDFLAGS@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPERF_LEN_TYPE = @GPERF_LEN_TYPE@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+tpm_extendpcr_SOURCES = tpm_extendpcr.c
+tpm_extendpcr_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtpmtss/libtpmtss.la
+
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtpmtss \
+ -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/tpm_extendpcr/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/tpm_extendpcr/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-binPROGRAMS: $(bin_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
+ fi; \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed 's/$(EXEEXT)$$//' | \
+ while read p p1; do if test -f $$p \
+ || test -f $$p1 \
+ ; then echo "$$p"; echo "$$p"; else :; fi; \
+ done | \
+ sed -e 'p;s,.*/,,;n;h' \
+ -e 's|.*|.|' \
+ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+ sed 'N;N;N;s,\n, ,g' | \
+ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+ if ($$2 == $$4) files[d] = files[d] " " $$1; \
+ else { print "f", $$3 "/" $$4, $$1; } } \
+ END { for (d in files) print "f", d, files[d] }' | \
+ while read type dir files; do \
+ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+ test -z "$$files" || { \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
+ } \
+ ; done
+
+uninstall-binPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+ files=`for p in $$list; do echo "$$p"; done | \
+ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+ -e 's/$$/$(EXEEXT)/' \
+ `; \
+ test -n "$$list" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(bindir)" && rm -f $$files
+
+clean-binPROGRAMS:
+ @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
+tpm_extendpcr$(EXEEXT): $(tpm_extendpcr_OBJECTS) $(tpm_extendpcr_DEPENDENCIES) $(EXTRA_tpm_extendpcr_DEPENDENCIES)
+ @rm -f tpm_extendpcr$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(tpm_extendpcr_OBJECTS) $(tpm_extendpcr_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_extendpcr.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+ for dir in "$(DESTDIR)$(bindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-binPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-binPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
+ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-binPROGRAMS \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-ps install-ps-am install-strip \
+ installcheck installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am uninstall-binPROGRAMS
+
+.PRECIOUS: Makefile
+
+
+tpm_extendpcr.o : $(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/tpm_extendpcr/tpm_extendpcr.c b/src/tpm_extendpcr/tpm_extendpcr.c
new file mode 100644
index 000000000..31d0d3d25
--- /dev/null
+++ b/src/tpm_extendpcr/tpm_extendpcr.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <tpm_tss.h>
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+
+#include <syslog.h>
+#include <getopt.h>
+#include <errno.h>
+
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t default_loglevel = 1;
+
+/* global variables */
+tpm_tss_t *tpm;
+chunk_t digest;
+chunk_t pcr_value;
+
+/**
+ * logging function for tpm_extendpcr
+ */
+static void tpm_extendpcr_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+ char buffer[8192];
+ char *current = buffer, *next;
+ va_list args;
+
+ if (level <= default_loglevel)
+ {
+ if (log_to_stderr)
+ {
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ }
+ if (log_to_syslog)
+ {
+ /* write in memory buffer first */
+ va_start(args, fmt);
+ vsnprintf(buffer, sizeof(buffer), fmt, args);
+ va_end(args);
+
+ /* do a syslog with every line */
+ while (current)
+ {
+ next = strchr(current, '\n');
+ if (next)
+ {
+ *(next++) = '\0';
+ }
+ syslog(LOG_INFO, "%s\n", current);
+ current = next;
+ }
+ }
+ }
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+ dbg = tpm_extendpcr_dbg;
+
+ if (log_to_stderr)
+ {
+ setbuf(stderr, NULL);
+ }
+ if (log_to_syslog)
+ {
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+ }
+}
+
+/**
+ * @brief exit tpm_extendpcr
+ *
+ * @param status 0 = OK, -1 = general discomfort
+ */
+static void exit_tpm_extendpcr(err_t message, ...)
+{
+ int status = 0;
+
+ DESTROY_IF(tpm);
+ chunk_free(&digest);
+ chunk_free(&pcr_value);
+
+ /* print any error message to stderr */
+ if (message != NULL && *message != '\0')
+ {
+ va_list args;
+ char m[8192];
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ fprintf(stderr, "tpm_extendpcr error: %s\n", m);
+ status = -1;
+ }
+ library_deinit();
+ exit(status);
+}
+
+/**
+ * @brief prints the usage of the program to the stderr output
+ *
+ * If message is set, program is exited with 1 (error)
+ * @param message message in case of an error
+ */
+static void usage(const char *message)
+{
+ fprintf(stderr,
+ "Usage: tpm_extendpcr [--alg <name>] --pcr <nr> --digest <hex>|--in"
+ " <file>\n"
+ " [--hash] [--out <file>] [--quiet]"
+ " [--debug <level>]\n"
+ " tpm_extendpcr --help\n"
+ "\n"
+ "Options:\n"
+ " --alg (-a) hash algorithm (sha1|sha256)\n"
+ " --pcr (-p) platform configuration register (0..23)\n"
+ " --digest (-d) digest in hex format to be extended\n"
+ " --in (-i) binary input file with digest to be extended\n"
+ " --hash (-x) prehash the input file to create digest\n"
+ " --out (-o) binary output file with updated PCR value\n"
+ " --help (-h) show usage and exit\n"
+ "\n"
+ "Debugging output:\n"
+ " --debug (-l) changes the log level (-1..4, default: 1)\n"
+ " --quiet (-q) do not write log output to stderr\n"
+ );
+ exit_tpm_extendpcr(message);
+}
+
+/**
+ * @brief main of tpm_extendpcr which extends digest into a PCR
+ *
+ * @param argc number of arguments
+ * @param argv pointer to the argument values
+ */
+int main(int argc, char *argv[])
+{
+ hash_algorithm_t alg = HASH_SHA1;
+ hasher_t *hasher = NULL;
+ char *infile = NULL, *outfile = NULL;
+ uint32_t pcr = 16;
+ bool hash = FALSE;
+
+ atexit(library_deinit);
+ if (!library_init(NULL, "tpm_extendpcr"))
+ {
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "tpm_extendpcr", argv[0]))
+ {
+ fprintf(stderr, "integrity check of tpm_extendpcr failed\n");
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
+
+ for (;;)
+ {
+ static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "alg", required_argument, NULL, 'a' },
+ { "pcr", required_argument, NULL, 'p' },
+ { "digest", required_argument, NULL, 'd' },
+ { "in", required_argument, NULL, 'i' },
+ { "hash", no_argument, NULL, 'x' },
+ { "out", required_argument, NULL, 'o' },
+ { "quiet", no_argument, NULL, 'q' },
+ { "debug", required_argument, NULL, 'l' },
+ { 0,0,0,0 }
+ };
+
+ /* parse next option */
+ int c = getopt_long(argc, argv, "ha:p:d:i:xo:ql:", long_opts, NULL);
+
+ switch (c)
+ {
+ case EOF: /* end of flags */
+ break;
+
+ case 'h': /* --help */
+ usage(NULL);
+
+ case 'a': /* --alg <name> */
+ if (!enum_from_name(hash_algorithm_short_names, optarg, &alg))
+ {
+ usage("unsupported hash algorithm");
+ }
+ continue;
+ case 'p': /* --pcr <nr> */
+ pcr = atoi(optarg);
+ continue;
+
+ case 'd': /* --digest <hex> */
+ digest = chunk_from_hex(chunk_from_str(optarg), NULL);
+ continue;
+
+ case 'i': /* --in <file> */
+ infile = optarg;
+ continue;
+
+ case 'x': /* --hash */
+ hash = TRUE;
+ continue;
+
+ case 'o': /* --out <file> */
+ outfile = optarg;
+ continue;
+
+ case 'q': /* --quiet */
+ log_to_stderr = FALSE;
+ continue;
+
+ case 'l': /* --debug <level> */
+ default_loglevel = atoi(optarg);
+ continue;
+
+ default:
+ usage("unknown option");
+ }
+ /* break from loop */
+ break;
+ }
+
+ init_log("tpm_extendpcr");
+
+ if (!lib->plugins->load(lib->plugins,
+ lib->settings->get_str(lib->settings, "tpm_extendpcr.load",
+ "tpm sha1 sha2")))
+ {
+ exit_tpm_extendpcr("plugin loading failed");
+ }
+
+ /* try to find a TPM */
+ tpm = tpm_tss_probe(TPM_VERSION_ANY);
+ if (!tpm)
+ {
+ exit_tpm_extendpcr("no TPM found");
+ }
+
+ /* read digest from file */
+ if (digest.len == 0)
+ {
+ chunk_t *chunk;
+
+ if (!infile)
+ {
+ exit_tpm_extendpcr("--digest or --in option required");
+ }
+ chunk = chunk_map(infile, FALSE);
+ if (!chunk)
+ {
+ exit_tpm_extendpcr("reading input file failed");
+ }
+ if (hash)
+ {
+ hasher = lib->crypto->create_hasher(lib->crypto, alg);
+ if (!hasher || !hasher->allocate_hash(hasher, *chunk, &digest))
+ {
+ DESTROY_IF(hasher);
+ chunk_unmap(chunk);
+ exit_tpm_extendpcr("prehashing infile failed");
+ }
+ hasher->destroy(hasher);
+ }
+ else
+ {
+ digest = chunk_clone(*chunk);
+ }
+ chunk_unmap(chunk);
+ }
+ DBG1(DBG_PTS, "Digest: %#B", &digest);
+
+ /* extend digest into PCR */
+ if (!tpm->extend_pcr(tpm, pcr, &pcr_value, digest, alg))
+ {
+ exit_tpm_extendpcr("extending PCR failed");
+ }
+ DBG1(DBG_PTS, "PCR %02u: %#B", pcr, &pcr_value);
+
+ /* write PCR value to file */
+ if (outfile)
+ {
+ if (!chunk_write(pcr_value, outfile, 022, TRUE))
+ {
+ DBG1(DBG_PTS, "writing '%s' failed", outfile);
+ }
+ }
+ chunk_free(&pcr_value);
+
+ exit_tpm_extendpcr(NULL);
+ return -1; /* should never be reached */
+}